From 2574a38ea86c35fd0a41c46dc87aaeafdb194806 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 11:30:55 -0500
Subject: [PATCH 01/16] Add and rename pinserver_plus to modules/pinserver_ldap

---
 modules/pinserver_ldap/README.md              |  40 +
 .../includes/pinserver_ldap.api.inc           |  64 ++
 .../pinserver_ldap/pinserver_ldap.admin.inc   | 130 ++++
 modules/pinserver_ldap/pinserver_ldap.info    |   6 +
 modules/pinserver_ldap/pinserver_ldap.install |  67 ++
 modules/pinserver_ldap/pinserver_ldap.js      |  74 ++
 modules/pinserver_ldap/pinserver_ldap.module  | 709 ++++++++++++++++++
 7 files changed, 1090 insertions(+)
 create mode 100644 modules/pinserver_ldap/README.md
 create mode 100644 modules/pinserver_ldap/includes/pinserver_ldap.api.inc
 create mode 100644 modules/pinserver_ldap/pinserver_ldap.admin.inc
 create mode 100644 modules/pinserver_ldap/pinserver_ldap.info
 create mode 100644 modules/pinserver_ldap/pinserver_ldap.install
 create mode 100644 modules/pinserver_ldap/pinserver_ldap.js
 create mode 100644 modules/pinserver_ldap/pinserver_ldap.module

diff --git a/modules/pinserver_ldap/README.md b/modules/pinserver_ldap/README.md
new file mode 100644
index 0000000..26a05b8
--- /dev/null
+++ b/modules/pinserver_ldap/README.md
@@ -0,0 +1,40 @@
+This is a Drupal 7 module for allowing HUID login.  It is an
+adaptation of the Drupal 6 module pinserver, from IQSS, 
+and pinserver\_osc by Reinhard Engels.  Note that although this module
+works, it is not currently in use on a production site.  The Drupal 6
+two-module predecessor to this one is working on the Office for
+Scholarly Communication's sites, however.
+
+This module implements PIN 1 and 2, but not 3.
+
+A D7 version of pinserver is at
+https://github.com/openscholar/pinserver.  A later version of this
+module may break out the additional functionality in order to take
+advantage of the current IQSS module.
+
+Installation
+------------
+
+    cd sites/all/modules/
+    git clone git@git.huit.harvard.edu:pin-server-module-for-drupal-7/pinserver_plus.git
+    drush en pinserver_plus
+
+Or enable the module in the UI.
+
+Configuration
+-------------
+
+Go to http://yoursite/#overlay=admin/settings/pinserver_plus.  You will need an
+application name and target, GPG, and LDAP login credentials.  Instructions are 
+linked at https://github.com/openscholar/pinserver/blob/7.x-3.x/README.md. 
+
+The salt is added to the HUID when creating a hash.  In the case of
+the OSC, this had to match the salt used in DASH, so Drupal users
+could be mapped to DASH users.  Your application may vary.
+
+TODO
+----
+
+- Put search string in configuration
+- Add facility for putting HUID users in a role?
+- Take some or all config out of UI?
diff --git a/modules/pinserver_ldap/includes/pinserver_ldap.api.inc b/modules/pinserver_ldap/includes/pinserver_ldap.api.inc
new file mode 100644
index 0000000..7f17732
--- /dev/null
+++ b/modules/pinserver_ldap/includes/pinserver_ldap.api.inc
@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * @file
+ * API functions for the Pinserver_Plus Plus module.
+ * 
+ */
+
+/**
+ * API function - Checks if user can access registration form by checking $_SESSION values
+ * The $_SESSION values are only set when a user succesfully 
+ * @return unknown
+ */
+function pinserver_plus_check_status() {
+  global $user;
+  
+  //allow admin to access the form
+  if ($user->uid == '1') {
+    //return TRUE; // for testing purposes
+  }  
+  if (isset($_SESSION['pinserver_plus']['reg_time']) && isset($_SESSION['pinserver_plus']['huid'])) {
+    return $reg_time =  ((REQUEST_TIME - (int)$_SESSION['pinserver_plus']['reg_time']) < 120) ? TRUE : FALSE;
+  }
+  return FALSE;
+}
+
+/**
+ * API function - Return all session values (set after successful pinserver_plus login)
+ */
+function pinserver_plus_get_session() {
+  //returns array with pinserver_plus session values if not empty  
+  if (!empty($_SESSION['pinserver_plus'])) {
+    foreach ($_SESSION['pinserver_plus'] as $key => $val) {
+      $session_values['key'] = $val;          
+    } 
+    return $session_values;   
+  }
+  else {
+    return FALSE;
+  }
+}
+
+/**
+ * API function - Returns huid (set after successful pinserver_plus login)
+ */
+function pinserver_plus_get_session_huid() {
+  //returns array with pinserver_plus session values
+  if ($_SESSION['pinserver_plus']['huid']) {
+    return $_SESSION['pinserver_plus']['huid'];
+  }
+  else {
+    return FALSE;
+  }
+}
+
+/**
+ * API function - Remove session values set after successful pinserver_plus login
+ */
+function pinserver_plus_remove_session() {
+  //removing session values when new site is created
+  if (isset($_SESSION['pinserver_plus'])) {
+    unset($_SESSION['pinserver_plus']);
+  }
+}
\ No newline at end of file
diff --git a/modules/pinserver_ldap/pinserver_ldap.admin.inc b/modules/pinserver_ldap/pinserver_ldap.admin.inc
new file mode 100644
index 0000000..a5032b9
--- /dev/null
+++ b/modules/pinserver_ldap/pinserver_ldap.admin.inc
@@ -0,0 +1,130 @@
+<?php
+
+//@file pinserver_plus.admin.inc
+
+/**
+ * pinserver_plus_config()
+ *
+ * @return array - returns form for pinserver_plus administrative settings
+ */
+function pinserver_plus_config() {
+  global $base_url;
+
+  $form['pinserver_plus'] = array(
+  '#type' => 'fieldset',
+  '#title' => t('Harvard Pinserver Plus Configuration'),
+  '#collapsible' => TRUE,
+  '#collapsed' => FALSE,
+  );
+
+  $form['pinserver_plus']['pinserver_plus_pin_url'] = array(
+  '#type' => 'textfield',
+  '#required' => TRUE,
+  '#title' => t('Harvard PIN Server URL'),
+  '#default_value' => variable_get('pinserver_plus_pin_url', ''),
+  '#description' => t('Enter PIN server URL. For example: https://www.pin1.harvard.edu/pin/authenticate'),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_app_name'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard PIN server application name'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_app_name', ''),
+  '#description' => t('Enter the application name given to you by Harvard Directory Services.' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_target'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard PIN server target path'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_target', ''),
+  '#description' => t('Enter the path given to you by Harvard Directory Services, e.g. "pinserver/auth".' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_salt'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard PIN server salt'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_salt', ''),
+  '#description' => t('Enter the salt used to encode HUIDs.' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_ldap_url'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard LDAP URL'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_ldap_url', ''),
+  '#description' => t('Enter the LDAP URL given to you by Harvard Directory Services, something like "ldaps://hu-ldap.harvard.edu".' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_ldap_user'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard LDAP user string'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_ldap_user', ''),
+  '#description' => t('Enter the LDAP user string given to you by Harvard Directory Services, something like "uid=xyzzy,ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu".' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_ldap_password'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Harvard LDAP password'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_ldap_password', ''),
+  '#description' => t('Enter the LDAP password given to you by Harvard Directory Services.' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_gpg_dir'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Host server path to public key directory'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_gpg_dir', ''),
+  '#description' => t('Enter the absolute path to the GPG directory on your web server where the PIN Server or AuthProxy public key information is stored.' ),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_landing_path'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Landing Path'),
+  '#required' => TRUE,
+  '#default_value' => variable_get('pinserver_plus_landing_path', ''),
+  '#description' => t('Specify the path to redirect the user after all pinserver_plus module processing is complete. Use a relative path that comes after !base_url' . '/', array('!base_url' => $base_url)),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_auth_str'] = array(
+  '#type' => 'radios',
+  '#title' => t('PIN Authentication Server Setup'),
+  '#default_value' => variable_get('pinserver_plus_auth_str', ''),
+  '#options' => array(
+  'Good signature from "Harvard University PIN System' => t('PIN only'),
+  'Good signature from "authzproxy"' => t('PIN with AuthProxy'),
+  ),
+  '#required' => TRUE,
+  '#description' => t('The server that is returning the user back to this site after successful PIN login.'),
+  );
+
+  $form['pinserver_plus']['pinserver_plus_support_contact'] = array(
+  '#type' => 'textfield',
+  '#title' => t('E-mail address for technical support'),
+  '#required' => FALSE,
+  '#default_value' => variable_get('pinserver_plus_support_contact', ''),
+  '#description' => t('Optionally specify contact person to be displayed to user if PIN authentication fails.'),
+  );
+
+  //pinsever GPG logging fields
+
+  $form['pinserver_plus_logging'] = array(
+  '#type' => 'fieldset',
+  '#title' => t('Harvard Pinserver Plus Logging'),
+  '#collapsible' => TRUE,
+  '#collapsed' => FALSE,
+  );
+
+  $form['pinserver_plus_logging']['pinserver_plus_error_log'] = array(
+  '#type' => 'textfield',
+  '#title' => t('Text file to use for logging GPG stderror output'),
+  '#required' => FALSE,
+  '#default_value' => variable_get('pinserver_plus_error_log', ''),
+  '#description' => t('Optionally specify full filename and path from server\'s root directory (not the website\'s root directory). The file should always be below the root directory, and it is recommended only for development sites. Leave blank to disable. Include the first / to indicate the root directory of the webserver.'),
+  );
+
+  return system_settings_form($form);
+}
\ No newline at end of file
diff --git a/modules/pinserver_ldap/pinserver_ldap.info b/modules/pinserver_ldap/pinserver_ldap.info
new file mode 100644
index 0000000..f4fe474
--- /dev/null
+++ b/modules/pinserver_ldap/pinserver_ldap.info
@@ -0,0 +1,6 @@
+; $Id$
+name = Pinserver Plus
+description = Maps a Pinserver HUID account to a Drupal account so you can log in.
+package = Harvard PIN Authentication
+core = 7.x
+files[] = includes/pinserver_plus.api.inc
diff --git a/modules/pinserver_ldap/pinserver_ldap.install b/modules/pinserver_ldap/pinserver_ldap.install
new file mode 100644
index 0000000..b933b9f
--- /dev/null
+++ b/modules/pinserver_ldap/pinserver_ldap.install
@@ -0,0 +1,67 @@
+<?php
+
+/**
+* @file
+* Pinserver Plus install hooks
+*
+*/
+
+/**
+* Implementation of hook_uninstall()
+*/
+function pinserver_plus_install() {
+  // nothing to do here
+}
+
+/**
+* Implementation of hook_uninstall()
+*/
+function pinserver_plus_uninstall() {
+
+  //remove pinserver plus administrative system variables
+  variable_del('pinserver_plus_pin_url');
+  variable_del('pinserver_plus_app_name');
+  variable_del('pinserver_plus_gpg_dir');
+  variable_del('pinserver_plus_landing_path');
+  variable_del('pinserver_plus_hash_huid');
+  variable_del('pinserver_plus_support_contact');
+  variable_del('pinserver_plus_enable_logging');
+  variable_del('pinserver_plus_error_log');  
+
+//remove other pinserver plus variables
+  variable_del('pinserver_plus_ip_validation');
+  variable_del('pinserver_plus_gpg_bin');  
+}
+
+/**
+ * Implementation of hook_schema().
+ */
+function pinserver_plus_schema() {
+  $schema['pinserver_plus'] = array(
+    'description' => 'Maps unique encrypted HUID identifier to Drupal user ID',
+    'fields' => array(
+      'uid' => array(
+        'description' => 'Drupal user ID',
+        'type' => 'int',
+        'not null' => TRUE,
+        'default' => 0,
+      ),
+      'huid' => array(
+        'description' => "Holds the Harvard ID of returning users",
+        'type' => 'varchar',
+        'length' => 255,
+        'not null' => TRUE,
+        'default' => '',
+      ),
+      'reg_time' => array(
+        'description' => "The time of user registration",
+        'type' => 'int',
+      ),
+    ),
+    'unique keys' => array(
+      'huid' => array('huid'),
+    ),
+    'primary key' => array( 'uid') ,
+  );
+  return $schema;
+}
diff --git a/modules/pinserver_ldap/pinserver_ldap.js b/modules/pinserver_ldap/pinserver_ldap.js
new file mode 100644
index 0000000..9e4432b
--- /dev/null
+++ b/modules/pinserver_ldap/pinserver_ldap.js
@@ -0,0 +1,74 @@
+(function ($) {
+
+// global PIN object.
+
+PIN = {};
+PIN.swapId= "content-area";
+PIN.loginFormId="user-login";
+PIN.drupalHtml="";
+
+PIN.createCookie = function(name,value,days) {
+    if (days) {
+	var date = new Date();
+	date.setTime(date.getTime()+(days*24*60*60*1000));
+	var expires = "; expires="+date.toGMTString();
+    } else {
+	var expires = "";
+    }
+    document.cookie = name+"="+value+expires+"; path=/";
+};
+
+PIN.drupalLogin = function(){
+    $('#' + PIN.swapId).html(PIN.drupalHtml);
+};
+
+PIN.gotoPin =function(){
+    // app should be set in Drupal
+    document.location = "https://www.pin1.harvard.edu/pin/authenticate?__authen_application="+Drupal.settings.app;
+};
+
+PIN.chooseLogin = function() {
+    // email should be set in Drupal
+    //alert("chooseLogin:  " + window.location.hostname);
+    var pin_dest =  document.location.href;
+    // extract node url from login url
+    pin_dest = pin_dest.replace("/user/login?destination=","/").replace("%2F","/");
+    //$.cookie("pin_dest",pin_dest, {path: '/'});
+    PIN.createCookie("pin_dest",pin_dest,1); // drupal js api.
+    if ( $('#'+PIN.swapId).length === 0 ) {
+	PIN.swapId = "pinLoginDiv";
+	$('#'+PIN.loginFormId).wrap('<div id=\"' + PIN.swapId + '" />');
+	//alert("Yeah, dude!");
+    }
+    //alert("Hi Reinhard 2: " + PIN.swapId + " NOW length: " + $('#'+PIN.swapId).length);
+    PIN.drupalHtml=$('#'+PIN.swapId).html();
+    //alert("drupalHtml: " + PIN.drupalHtml);
+    var html="";
+    html += "<div xmlns=\"http:\/\/di.tamu.edu\/DRI\/1.0\/\" style=\"align:center; text-align: center; width:40%; margin:10px; padding:12px; float:left; border:1px solid #CDCDCD; position: relative;\"> ";
+    html += "<form method=\"GET\"> ";
+    html += "<button type=\"button\" onclick=\"PIN.gotoPin()\">Login with HUID and PIN<\/button> ";
+    html += "<\/form> ";
+    html += "<div style=\"text-align: left;\"> ";
+    html += "<p>Are you a Harvard Affiliate with Harvard University ID (HUID) and PIN?<\/p>";
+    html += "<p>Please click the button above to access this site.<\/p>";
+    html += "<p>For more information, please see";
+    html += "<a href=\"http:\/\/www.pin.harvard.edu\/login-help.shtml\"> ";
+    html += "the PIN Login help page<\/a>.<\/p> ";
+    html += "<\/div> ";
+    html += "<\/div> ";
+    html += "<div style=\"align:center; text-align: center; width:40%; margin:10px; padding:12px; float:left; border:1px solid #CDCDCD; position: relative;\"> ";
+    html += "<form method=\"GET\" action=\"\"> ";
+    html += "<button type=\"button\" onclick=\"PIN.drupalLogin()\">Login with Password<\/button> ";
+    html += "<\/form> ";
+    html += "<div style=\"text-align: left;\"> ";
+    html += "<p>Not a Harvard Affiliate?</p><p>Please <a href=\"mailto:" + Drupal.settings.email + "\">contact us<\/a> to obtain login credentials, then click the button above.</p>";
+    html += "<\/p> ";
+    html += "<\/div> ";
+    html += "<\/div> ";
+    $('#'+PIN.swapId).html(html);    	
+};
+
+$(document).ready(function() {
+	PIN.chooseLogin();
+    });
+})(jQuery);
diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
new file mode 100644
index 0000000..e556648
--- /dev/null
+++ b/modules/pinserver_ldap/pinserver_ldap.module
@@ -0,0 +1,709 @@
+<?php  
+
+/**
+ * These are module constants - Please do not modify these
+ */
+define('PIN_URL', variable_get('pinserver_plus_pin_url', ''));  // url to pin server
+define('PIN_LANDING_PATH', variable_get('pinserver_plus_landing_path', '')); //relative path where module will redirect user after all processing complete
+define('PIN_SUPPORT_CONTACT', variable_get('pinserver_plus_support_contact', ''));  //who to contact if visitor has authentication issues
+define('PIN_AUTH_STR', variable_get('pinserver_plus_auth_str', '')); //String to check whether using just PIN or PIN with AuthzProxy
+define('PIN_HASH_HUID', variable_get('pinserver_plus_hash_huid', 0)); //Determine whether to encrypt Harvard id before passing to $_SESSION. Defaults is no.
+define('PIN_APP_NAME', variable_get('pinserver_plus_app_name', '')); //application name given by directory services
+define('PIN_TARGET', variable_get('pinserver_plus_target', '')); //application name given by directory services
+define('PIN_SALT', variable_get('pinserver_plus_salt', '')); // salt for hashing HUID
+define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
+define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
+define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
+define('PIN_IP_VAL', variable_get('pinserver_plus_ip_validation', 0)); //Validate IP address or not. Reinhard: Masha in directory services says don't validate ip. Can cause vpn/tunneling problems. 
+define('GPG_DIR', variable_get('pinserver_plus_gpg_dir', dirname(__FILE__) . '/.gnupg')); //absolute path to directory to verify detached signature
+define('GPG_BIN', variable_get('pinserver_plus_gpg_bin', '/usr/bin/gpg')); //absolute path to gpg binary
+define('GPG_ERROR_LOG', variable_get('pinserver_plus_error_log', '/tmp/gpgerror'));  //absolute path (file included) to gpp stderr output for testing
+
+module_load_include('inc', 'pinserver_plus', 'includes/pinserver_plus.api');
+
+/**
+ * Implementation of hook_menu(). 
+ */ 
+function pinserver_plus_menu() {
+  $path = drupal_get_path('module', 'pinserver_plus');
+  $items = array();
+  
+  $items[PIN_TARGET] = array(
+    'type' => MENU_CALLBACK,
+    'page callback' => 'pinserver_plus_checkuser',
+    'access callback' => TRUE,
+  );
+  
+  $items['pinserver_plus/error'] = array(
+    'type' => MENU_CALLBACK,
+    'title' => 'Authentication Error',
+    'page callback' => 'pinserver_plus_error',
+    'access callback' => TRUE,
+  );
+    
+  $items['admin/settings/pinserver_plus'] = array(
+    'title' => 'Pinserver Plus',
+    'description' => 'Modify Harvard Pinserver Plus configuration, access, and logging',
+    'type' => MENU_NORMAL_ITEM,
+    'weight' => 0,
+    'page callback' => 'drupal_get_form',
+    'page arguments' => array('pinserver_plus_config'),
+    'access arguments' =>  array('administer pinserver_plus'),
+    'file' => 'pinserver_plus.admin.inc',
+    'file path' => $path,
+  );
+
+  return $items;
+}
+
+/**
+ * Implementation of hook_permission()
+ *
+ * @return array - permissions set for the pinserver_plus module
+ */
+function pinserver_plus_permission() {
+  return array(
+    'administer pinserver_plus' => array(
+      'title' => t('Administer Pin server plus module'),
+      'description' => t('Administer the Pin server plus module')
+    )
+  );
+}
+
+/*
+ * Implementation of hook_theme()
+ */
+function pinserver_plus_theme() {
+  return array(
+    'pinserver_plus_token_error' => array(
+      'arguments' => array('values' => NULL)
+    ),
+  );
+}
+
+/**
+ * Redirect user to PIN login url  
+ */ 
+function pinserver_plus_redirect() {
+  $pin_redirect = PIN_URL . '?__authen_application=' . PIN_APP_NAME;
+  drupal_goto($pin_redirect);
+}
+
+/**
+ * First function called after user has authenticated via pinserver_plus and returned to site
+ */
+function pinserver_plus_checkuser() { // changed from pinserver_plus_check_user to pinserver_plus_checkuser, as the former looks like a hook to Coder.  BRS 2012-10-18
+
+  // First, parse and validate the PIN token.
+  $token_data = pinserver_plus_check_token();
+ 
+  // If any errors are returned, redirect to an error page.
+  if (is_array($token_data) && count($token_data['errors']) > 0) {
+    $errors = implode(',', array_unique($token_data['errors']));
+    drupal_goto("pinserver_plus/error/token/$errors");
+    exit();
+  }
+  //if successful pin authentication, place the encrypted harvard uid into a session array
+  $_SESSION['pinserver_plus']['huid'] = $token_data['user_id'];
+  //add time value to session array
+  $_SESSION['pinserver_plus']['reg_time'] = REQUEST_TIME;
+  
+  
+  //hook for dynamic landing path, if no hooks fired, then use static landing path
+  $path = module_invoke_all('pinserver_plus_landing_path');
+  $landing_path = !empty($path) ? end($path) : PIN_LANDING_PATH;
+  
+  //invoke hook_pinserver after sucessful pin login and token authentication
+  module_invoke_all('pinserver');
+
+  //redirect user to landing page that was set in pinserver_plus configuration page
+  drupal_goto($landing_path);
+}
+ 
+/**
+ * This function prepares the unencrypted PIN v1 token for authentication.
+ * @return authentication parameters and signature in a single array. 
+ */  
+function pinserver_plus_prepare_pin_v1_token() {
+  $values = array();
+
+  // Collect URL parameters
+  $app = $_GET['__authen_application'];
+  $user_id = $_GET['__authen_huid'];
+  $proxy_id = "";
+  $ip = $_GET['__authen_ip'];
+  $time = $_GET['__authen_time'];
+  $pgp_signature = $_GET['__authen_pgp_signature'];
+  $pgp_version = $_GET['__authen_pgp_version'];      
+
+  // Construct the auth token from the returned URL arguments from PIN server.
+  $values['token'] = $app . "|" . $user_id . "|" . $proxy_id . "|" . $ip . "|" . $time;
+
+  // The signature is passed as is. 
+  $values['pgp_signature'] = $pgp_signature;
+  
+  // User ID is returned as a hash for safer storage.
+  $values['user_id'] = (PIN_HASH_HUID === 1) ? md5($user_id) : $user_id;
+
+  // Time must be converted into unix timestamp.  
+  $exploded_time = explode(" ", $time);
+  $values['time'] = strtotime($exploded_time[1] . " " . $exploded_time[2] . " " . $exploded_time[5] . " " . $exploded_time[3]);
+
+  // Client IP is returned as is. 
+  $values['ip'] = $ip;
+
+  // App Name is returned as is. 
+  $values['app'] = $app;
+
+  // ID type is returned as PIN. 
+  $values['login_type'] = 'PIN';
+  
+  //set appropriate good signature string for this type of token
+  $values['good_sig'] = PIN_AUTH_STR;
+
+  return $values;
+}
+
+/**
+ * This function prepares the unencrypted PIN v2 token for authentication.
+ * @return authentication parameters and signature in a single array. 
+ */  
+function pinserver_plus_prepare_pin_v2_token($pin_parameters, $pin_signature) {
+  $values = array();
+
+  // Deconstruct parameters from the authentication token.
+  $token_array = explode($pin_parameters, '|');
+
+  // The token data is passed as is.
+  $values['token'] = $pin_parameters;
+
+  // The signature is passed as is. 
+  $values['pgp_signature'] = $pgp_signature;
+  
+  // App Name is returned as is. 
+  $values['app'] = $token_array[0];
+
+  // User ID is returned as a hash for safer storage.
+  $values['user_id'] =  (PIN_HASH_HUID === 1) ? md5($token_array[1]) : $token_array[1];
+
+  // Unused parameter proxy_id
+  // $values['proxy_id'] = $token_array[2];
+
+  // Client IP is returned as is. 
+  $values['ip'] = $token_array[3];
+
+  // Time must be converted into unix timestamp.  
+  $exploded_time = explode(" ", $token_array[4]);
+  $values['time'] = strtotime($exploded_time[1] . " " . $exploded_time[2] . " " . $exploded_time[5] . " " . $exploded_time[3]);
+
+  // Unused parameter "blank"
+  // $token_array[5]
+
+  // ID type is returned as is. 
+  $values['login_type'] = $token_array[6];
+  
+  //set appropriate good signature string for this type of token
+  $values['good_sig'] = PIN_AUTH_STR;   
+
+  return $values;
+}
+
+
+/**
+ * pinserver_plus_check_token()
+ *
+ * This function serves to check all components of the returned token in compliance with the 
+ * Harvard UIS procedures speficied at: http://www.pin.harvard.edu/dev-guide-token.shtml
+ * It is instantiated when the user has just logged in via the Harvard PIN server and has now 
+ * been returned to the Drupal site
+ *
+ * @return if the detached signature is deemed good, it returns "pinserver_plus_checkuser($user_id)". Otherwise
+ * it prohibits the user from logging in.
+ */
+function pinserver_plus_check_token() {
+
+  // Initialize the return values.
+  $return = array('errors' => array());
+
+  /*
+   * Prepare token differently depending on the token type and version
+   */
+  // Pin Token Version 2
+  if ($pin_parameters = $_GET['__authen_parameters'] && $pin_signature = $_GET['__authen_pgp_signature']) {
+    $values = pinserver_plus_prepare_pin_v2_token($pin_parameters, $pin_signature);
+  }
+  // Pin Token Version 1
+  elseif ($_GET['__authen_huid']) {
+    $values = pinserver_plus_prepare_pin_v1_token();
+  }
+  else {
+    drupal_goto("pinserver_plus/error/token/unrecognized-url");
+    exit();
+  }
+  
+  $pgp_message = "-----BEGIN PGP SIGNED MESSAGE-----" . "\n";
+  $pgp_message .= "Hash: SHA1" . "\n";
+  $pgp_message .= "\n";
+  $pgp_message .= $values['token'] . "\n";
+  $pgp_message .= "-----BEGIN PGP SIGNATURE-----" . "\n";
+  $pgp_message .= "Version: 5.0" . "\n";
+  $pgp_message .= "\n";
+  $pgp_message .= $values['pgp_signature'] . "\n";
+  $pgp_message .= "-----END PGP SIGNATURE-----" . "\n";
+
+  $stdout = "";
+  $stderr = "";
+
+  // Use gnupg to verify signature.
+  $descriptorspec = array(
+    0 => array('pipe', 'r'), // stdin
+    1 => array('pipe', 'w'), // stdout
+    2 => array('pipe', 'w') // stderr
+  );
+
+   $process = proc_open("gpg --homedir '" . GPG_DIR . "' --verify", $descriptorspec, $pipes);
+   
+  if (!is_resource($process)) {
+    $values['errors'][] = 'signature';
+    $values = implode(',', array_unique($values['errors']));
+    drupal_goto("pinserver_plus/error/token/$values");
+    exit();
+  }
+
+ fwrite($pipes[0], $pgp_message);
+  fclose($pipes[0]);
+  fclose($pipes[1]);
+
+  // read stderr ;
+  while (!feof($pipes[2])) {
+    $stderr .= fgets($pipes[2], 1024);
+  }
+  fclose($pipes[2]);
+  $return_value = proc_close($process);
+
+  /** 
+   * Save errors to file if set in configuration options and file exists. 
+   * File should be placed below root, recommended only for development/testing. 
+   */
+  if (GPG_ERROR_LOG !== '') {
+    $fp = fopen(GPG_ERROR_LOG, 'w');
+    fwrite($fp, $stderr);
+    fclose($fp);
+  }
+
+  // If good signature statement is not found within gpg output 
+  // or exit code from process is not 0, then it is a bad signature. 
+  if (strpos($stderr,  $values['good_sig']) === FALSE || $return_value != 0) {
+    print "Good[{$values['good_sig']}] Mine[$stderr]";
+    $values['errors'][] = 'signature'; 
+  }
+
+  /*
+  Now that PGP Signature has been verified, all other token components
+  that require validation must be processed, as specified by the HU directory
+  services developer's manual: http://www.pin.harvard.edu/dev-guide-token.shtml
+  This includes checking the following URL parameters: 
+  1) __authen_application / "Application Id" must match the application name
+  2) __authen_ip / "Ip Address" must match the IP address of the current user
+  3) __authen_time / "Timestamp" is valid and not more than a few minutes old
+  */
+
+  // Verify application name.
+  if ($values['app'] != PIN_APP_NAME) {
+    $values['errors'][] = 'name';
+  }  
+  
+  if (PIN_IP_VAL == 1) {
+    // Verify current user's IP address.
+    if ( $values['ip'] !== $_SERVER['REMOTE_ADDR'] ) {
+      $values['errors'][] = 'ip-mismatch';
+    }
+  }
+  
+  // Verify time parameter is not longer than 2 minutes old. 
+  // The PHP abs() function converts integers to absolute values (unsigned).
+  // Subtract timestamp value sent by PIN server from the current time (on web server)
+  // 120 equals 2 minutes; could change this to 60 but no more than 180
+  if (abs($values['time'] - REQUEST_TIME) > 120) {
+    $values['errors'][] = 'time-elapsed';
+  }
+  //echo "<pre>"; print_r($values); die;
+  return $values; 
+}
+
+/**
+ * Function to check system settings
+ */
+function pinserver_plus_check_system_settings() {  
+  
+  $settings = array(
+  'PIN_URL' => PIN_URL,
+  'PIN_LANDING_PATH' =>  PIN_LANDING_PATH,
+  'PIN_AUTH_STR' => PIN_AUTH_STR,
+  'GPG_DIR' => GPG_DIR,
+  'GPG_BIN' => GPG_BIN,
+  );
+
+  $info = array(
+    'value' => TRUE,
+    'message' => '',
+  );
+  
+  //check to see if all settings are set
+  foreach ($settings as $key => $setting) {
+    if (empty($setting)) {
+      $missing_settings[] = strtolower($key);      
+    }    
+  }
+  if (count($missing_settings)) {
+    $message = 'ALERT: scholar pinserver_plus is missing system settings: ';
+    foreach ($missing_settings as $setting) {
+      $message .= $setting . ' ';
+    }
+    $info['value'] = FALSE;
+    $info['message'] = $message . '. ';
+  }
+
+  if (!is_dir(GPG_DIR)) {
+    $message = 'The system path for gpg_dir directory is invalid or does not exist.';
+    $info['value'] = FALSE;
+    $info['message'] .= $message;
+  }
+ 
+  return $info;
+}
+
+/**
+ * Log error and display message
+ * @param  string $type - string to identify message type to display
+ * @param  string $values - comma separated list of errors encountered
+ */
+function pinserver_plus_error($type, $values) {
+  switch ($type) {
+    case 'token':
+      //log the errors
+      error_log("The pinserver_plus module has errored in processing the token in the following categories: $values");
+      return theme('pinserver_plus_token_error', explode(',', $values));
+      break;
+    default:
+      return '';
+  }
+}
+
+/* 
+ * theme_pinserver_plus_token_error()
+ * @param  array $values - all errors that occured due to a problem with the token or token processing. 
+ */
+function theme_pinserver_plus_token_error($values = NULL) {
+  $message = '<p>Communication with the Harvard PIN server failed.';
+  if (in_array('ip-mismatch', $values)) {
+    error_log("The pinserver_plus module found an ip-mismatch comparing url IP {$_GET['__authen_ip']} to remote address {$_SERVER['REMOTE_ADDR']} ");
+    $message .= ' Note: Use of a VPN or tunnel connection may cause problems with PIN authentication.';
+  }
+  $message .= ' Please ' . l('try again', PIN_URL . '?__authen_application=' . PIN_APP_NAME);
+  if (valid_email_address(PIN_SUPPORT_CONTACT)) {
+    $message .= ' or ' . l('contact us.', 'contact');
+  }
+  $message .= '.</p>';
+  return $message;
+}
+
+
+/**
+ * Implementation of hook_pinserver().
+ */
+function pinserver_plus_pinserver() {
+  global $user;
+  $huid = pinserver_plus_get_session_huid();
+  $hashed_huid = salted_md5($huid);
+  $uid = pinserver_plus_check_row($hashed_huid);
+  if (strlen($hashed_huid) && strlen($uid)) {
+    error_log("We already have a drupal user corresponding to this hashed huid."); 
+    $user = user_load($uid);
+    error_log("Hashed HUID: " . $hashed_huid . " -> Drupal UID: " . $uid);
+    if ( $user->name == $hashed_huid ) {
+      error_log("Drupal username looks like a hashed huid... let's update it with LDAP info.");
+      update_pinuser($user, $huid);
+    }
+  } 
+  else {
+    error_log("We haven't seen this huid before: " . $huid);
+    error_log("Let's create a new drupal account for it...");
+    $user = create_pinuser($huid);
+    error_log("Great. Now let's record the mapping between these 2 ids so we can reuse it next time.");
+    error_log("Hashed HUID: " . $hashed_huid . " -> Drupal UID: " . $user->uid);
+    pinserver_plus_add_row($user->uid, $hashed_huid);
+  }
+  // Update the user table timestamp noting user has logged in.
+  // This is also used to invalidate one-time login links.
+  $user->login = REQUEST_TIME;
+  // was: db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
+  db_update('users')
+    ->fields(array('login' => $user->login))
+    ->condition('uid', $user->uid)
+    ->execute();
+  // Regenerate the session ID to prevent against session fixation attacks.
+  drupal_session_regenerate();
+  // Remove pinserver session variables
+  pinserver_plus_remove_session();
+}
+
+/**
+ * Update existing drupal user for given Harvard PIN user.  Look up
+ * harvard user in LDAP to update drupal username and email.  Should
+ * only be called for old (pre August 2012) accounts before we had
+ * access to LDAP (when username and email were based on ugly hashed
+ * huid).
+ */
+function update_pinuser($user, $huid) { // renamed update_pin_user to suppress Coder error
+  $ldapinfo = get_ldap_info($huid);
+  $new_username = generate_username($ldapinfo);
+  return save_pinuser(
+    $user,
+    array(
+      'name' => $new_username, //'somename',
+      'mail' => $ldapinfo['email'],
+    )
+  );
+}
+
+/**
+ * Create a new drupal user for given Harvard PIN user.
+ * Look up harvard user in LDAP to create drupal username and email.
+ */
+function create_pinuser($huid) { // renamed create_pin_user to suppress Coder error
+  $ldapinfo = get_ldap_info($huid);
+  $new_username = generate_username($ldapinfo);
+  return save_pinuser(
+    new stdClass(),
+    array(
+      'name' => $new_username, //'somename',
+      'pass' => user_password(),
+      'mail' => $ldapinfo['email'],
+      'roles' => array(),
+      'status' => 1,
+    )
+  );
+}
+
+/**
+ * Save new or existing pin-based drupal user to the database.
+ * Check to make sure username and email are not already taken and increment if necessary.
+ */
+function save_pinuser($user, $properties) { // renamed save_pin_user to suppress Coder error
+  if ( username_already_taken($properties['name']) ) {
+    $properties['name'] = increment_username($properties['name']);
+    return save_pinuser($user, $properties);
+  } 
+  elseif ( email_already_taken($properties['mail']) ) {
+    $properties['mail'] = increment_email($properties['mail']);
+    return save_pinuser($user, $properties);
+  } 
+  else {
+    return user_save($user, $properties);
+  }
+};
+
+
+function username_already_taken($username) {
+  // was: return db_result(db_query("SELECT count(*) from {users} WHERE name = '%s'", $username));
+  return db_query("SELECT count(*) from {users} WHERE name = :name", array(':name' => $username))->fetchField();
+}
+
+function email_already_taken($email) {
+  // was: return db_result(db_query("SELECT count(*) from {users} WHERE mail = '%s'", $email));
+  return db_query("SELECT count(*) from {users} WHERE mail = :mail", array(':mail' => $email))->fetchField();
+}
+
+/**
+ * Crude suffix generation for duplicate username handling.
+ * If last characters are numbers, increment by 1 and return. If they are not, append " 1"
+ */
+function increment_username($name) {
+  $matches = array();
+  if (preg_match('/^(\D+) (\d+)$/',  $name, $matches)) {
+      $base_name = $matches[1];
+      $number = $matches[2]+1;
+      return $base_name . " " . $number;
+  } 
+  else {
+    return $name . " 1";
+  }
+}
+
+/**
+ * Crude suffix generation for duplicate email handling.
+ * Uses plus addressing.
+ * If last characters are plus sign followed by numbers, increment by 1 and return. If they are not, append "+1"
+ */
+
+function increment_email($email) {
+  $matches = array();
+  if (preg_match('/^(.+?)\+(\d+)(\@.+?)$/',  $email, $matches)) {
+      $base_name = $matches[1];
+      $number = $matches[2]+1;
+      $domain = $matches[3];
+      return $base_name . "+" . $number . $domain;
+  } 
+  else {
+    return preg_replace("/\@/", "+1@", $email);
+  }
+}
+
+/**
+ * Figure out where to redirect the user after pin authentication.
+ */
+function pinserver_plus_landing_path() {
+  $landing_path = $_COOKIE['pin_dest'];
+  if ( isset($_GET['destination']) ) {
+    $landing_path=$_GET['destination'];
+    error_log("Got destination from url: " . $landing_path);
+  }
+  #error_log("Landing path: " . $landing_path);
+  return $landing_path;
+}
+
+/**
+ * Get name and email from ldap for given huid.
+ * TODO: move connection information to configuration. (soon!)
+ */
+function get_ldap_info($huid) {
+  $ldap_info = array();
+  error_log("Host: " . $_SERVER['HTTP_HOST']);
+  $url = PIN_LDAP_URL;
+  error_log("Getting ldap info from " . $url);
+  $username = PIN_LDAP_USER;
+  $password = PIN_LDAP_PASSWORD;
+  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
+  $ds = ldap_connect($url);
+  if ( !$ds ) {
+    throw new Exception("Couldn't connect to LDAP.");
+  }
+  ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+  ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); 
+  $db = ldap_bind($ds, $username, $password);
+  if (! $db) {
+    throw new Exception("Couldn't bind to LDAP.");
+  }
+  $search_dn     = "ou=people, o=Harvard University Core, dc=huid, dc=harvard, dc=edu";
+  $search_filter =  "(&(harvardeduidnumber=" . $huid . "))";
+  $sr=ldap_search($ds, $search_dn, $search_filter);  
+  #echo "\nSearch result is " . $sr . "<br />";
+  #echo "\nNumber of entries returned is " . ldap_count_entries($ds, $sr) . "<br />";
+  $info = ldap_get_entries($ds, $sr);
+  #echo "\nData for " . $info["count"] . " items returned:<p>";
+  #var_dump($info);
+  for ($i=0; $i<$info["count"]; $i++) {
+    $ldap_info['last']   = $info[$i]["sn"][0];
+    $ldap_info['first']  = $info[$i]["givenname"][0];
+    $ldap_info['middle'] = $info[$i]["harvardedumiddlename"][0];
+    $ldap_info['email']  = $info[$i]["mail"][0];
+  }
+  error_log("Got this info: " . $ldap_info['last']);
+  return $ldap_info;
+}
+
+/**
+ * Create an attractive drupal username based on LDAP information.
+ */
+function generate_username($ldap_info) {
+  return $ldap_info['first'] . ' ' . $ldap_info['last'];
+}
+
+/**
+ * Checks database table for user
+ *
+ * @param encrypted $hashed_huid
+ * @return drupal user id
+ */
+function pinserver_plus_check_row($hashed_huid) {
+  // was: return db_result(db_query("SELECT uid FROM {pinserver_plus} WHERE huid = '%s'", $hashed_huid));
+  return db_query("SELECT uid FROM {pinserver_plus} WHERE huid = :huid", array(':huid' => $hashed_huid))->fetchField();
+}
+
+/**
+ * Adds a new row to huid to drupal user id mapping database table.
+ */
+function pinserver_plus_add_row($uid, $hashed_huid = NULL) {
+  $object = new stdClass();
+  $object->uid = (int)$uid;
+  $object->huid= ($hashed_huid) ? $hashed_huid : salted_md5( pinserver_plus_get_session_huid());
+  $object->reg_time = REQUEST_TIME;
+  // was: if (!db_result(db_query("SELECT uid FROM {pinserver_plus} WHERE huid = '%s'", salted_md5( pinserver_get_session_huid())))) {
+  if (!db_query("SELECT uid FROM {pinserver_plus} WHERE huid = :huid", array(':huid' => salted_md5( pinserver_plus_get_session_huid())))->fetchField()) { // check that this is right with bang at beginning....  BRS
+    drupal_write_record('pinserver_plus', $object);
+    return TRUE;
+  }
+  return FALSE;
+}
+
+/**
+ *  create md5 hash of the huid so we can securely store that semi-sensitive information.
+ */
+function salted_md5($string) {
+  $dash_suffix=PIN_SALT;
+  return md5($string . $dash_suffix);
+}
+
+/**
+ * Implementation of hook_form_alter : adds pinserver_plus login to the login forms.
+ */
+function pinserver_plus_form_alter(&$form, &$form_state, $form_id) {
+  if ($form_id == 'user_login_block' || $form_id == 'user_login') {
+    drupal_add_css(drupal_get_path('module', 'pinserver_plus') . '/pinserver_plus.css', 'module');
+    drupal_add_js('misc/jquery.cookie.js'); // is this right?
+    drupal_add_js(array('app' => PIN_APP_NAME), 'setting');
+    drupal_add_js(array('email' => PIN_SUPPORT_CONTACT), 'setting');
+    drupal_add_js(drupal_get_path('module', 'pinserver_plus') . '/pinserver_plus.js');
+
+    if (!empty($form_state['post']['pinserver_plus_identifier'])) {
+      $form['name']['#required'] = FALSE;
+      $form['pass']['#required'] = FALSE;
+      unset($form['#submit']);
+      $form['#validate'] = array('pinserver_plus_login_validate');
+    }
+
+    $items = array();
+
+    // here's the prob. block gets cached.
+    // we could use js to set a cookie
+    // OK, that's what we're doing now (see pinserver_plus.js)
+
+    #$_SESSION['destination'] = request_uri(); //drupal_get_destination();	
+    #error_log("reinhard user.module: set SESSION destination: " . $_SESSION['destination']);
+
+    if ( PIN_APP_NAME ) {
+      // only prompt if we actually have an app registered.
+      $items[] = l(t('Log in using Harvard PIN'), 'https://www.pin1.harvard.edu/pin/authenticate?__authen_application=' . PIN_APP_NAME);
+    }
+
+    $form['pinserver_plus_links'] = array(
+      '#value' => theme('item_list', $items),
+      '#weight' => 1,
+    );
+    $form['links']['#weight'] = 10;
+
+    $form['pinserver_plus.return_to'] = array('#type' => 'hidden', '#value' => url('pinserver_plus/authenticate', array('absolute' => TRUE, 'query' => drupal_get_destination())));
+  }
+  elseif ($form_id == 'user_register' && isset($_SESSION['pinserver_plus']['values'])) {
+    // We were unable to auto-register a new user. Prefill the registration
+    // form with the values we have.
+    $form['name']['#default_value'] = $_SESSION['pinserver_plus']['values']['name'];
+    $form['mail']['#default_value'] = $_SESSION['pinserver_plus']['values']['mail'];
+    // If user_email_verification is off, hide the password field and just fill
+    // with random password to avoid confusion.
+    if (!variable_get('user_email_verification', TRUE)) {
+      $form['pass']['#type'] = 'hidden';
+      $form['pass']['#value'] = user_password();
+    }
+    $form['auth_pinserver_plus'] = array('#type' => 'hidden', '#value' => $_SESSION['pinserver_plus']['values']['auth_pinserver_plus']);
+    $form['pinserver_plus_display'] = array(
+      '#type' => 'item',
+      '#title' => t('Your Pinserver Plus'),
+      '#description' => t('This Pinserver Plus will be attached to your account after registration.'),
+      '#value' => check_plain($_SESSION['pinserver_plus']['values']['auth_pinserver_plus']),
+    );
+  }
+  return $form;
+}
+

From 9d2863d110887c13f62f0532b676ecfcb17a7cee Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 14:25:22 -0500
Subject: [PATCH 02/16] standardize funcs & documentation, separate constants

---
 modules/pinserver_ldap/pinserver_ldap.module | 38 ++++++++++++++------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
index e556648..166a5fc 100644
--- a/modules/pinserver_ldap/pinserver_ldap.module
+++ b/modules/pinserver_ldap/pinserver_ldap.module
@@ -1,4 +1,16 @@
-<?php  
+<?php
+
+/**
+ * @file
+ * Integrates Harvard PIN LDAP attributes with pinserver module.
+ */
+
+/**
+ * LDAP constants.
+ */
+define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
+define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
+define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
 
 /**
  * These are module constants - Please do not modify these
@@ -11,9 +23,6 @@ define('PIN_HASH_HUID', variable_get('pinserver_plus_hash_huid', 0)); //Determin
 define('PIN_APP_NAME', variable_get('pinserver_plus_app_name', '')); //application name given by directory services
 define('PIN_TARGET', variable_get('pinserver_plus_target', '')); //application name given by directory services
 define('PIN_SALT', variable_get('pinserver_plus_salt', '')); // salt for hashing HUID
-define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
-define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
-define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
 define('PIN_IP_VAL', variable_get('pinserver_plus_ip_validation', 0)); //Validate IP address or not. Reinhard: Masha in directory services says don't validate ip. Can cause vpn/tunneling problems. 
 define('GPG_DIR', variable_get('pinserver_plus_gpg_dir', dirname(__FILE__) . '/.gnupg')); //absolute path to directory to verify detached signature
 define('GPG_BIN', variable_get('pinserver_plus_gpg_bin', '/usr/bin/gpg')); //absolute path to gpg binary
@@ -70,7 +79,7 @@ function pinserver_plus_permission() {
   );
 }
 
-/*
+/**
  * Implementation of hook_theme()
  */
 function pinserver_plus_theme() {
@@ -208,7 +217,6 @@ function pinserver_plus_prepare_pin_v2_token($pin_parameters, $pin_signature) {
   return $values;
 }
 
-
 /**
  * pinserver_plus_check_token()
  *
@@ -390,7 +398,7 @@ function pinserver_plus_error($type, $values) {
   }
 }
 
-/* 
+/**
  * theme_pinserver_plus_token_error()
  * @param  array $values - all errors that occured due to a problem with the token or token processing. 
  */
@@ -408,7 +416,6 @@ function theme_pinserver_plus_token_error($values = NULL) {
   return $message;
 }
 
-
 /**
  * Implementation of hook_pinserver().
  */
@@ -504,12 +511,23 @@ function save_pinuser($user, $properties) { // renamed save_pin_user to suppress
   }
 };
 
-
+/**
+ * @TODO document
+ *
+ * @param $username
+ * @return mixed
+ */
 function username_already_taken($username) {
   // was: return db_result(db_query("SELECT count(*) from {users} WHERE name = '%s'", $username));
   return db_query("SELECT count(*) from {users} WHERE name = :name", array(':name' => $username))->fetchField();
 }
 
+/**
+ * @TODO document
+ *
+ * @param $email
+ * @return mixed
+ */
 function email_already_taken($email) {
   // was: return db_result(db_query("SELECT count(*) from {users} WHERE mail = '%s'", $email));
   return db_query("SELECT count(*) from {users} WHERE mail = :mail", array(':mail' => $email))->fetchField();
@@ -536,7 +554,6 @@ function increment_username($name) {
  * Uses plus addressing.
  * If last characters are plus sign followed by numbers, increment by 1 and return. If they are not, append "+1"
  */
-
 function increment_email($email) {
   $matches = array();
   if (preg_match('/^(.+?)\+(\d+)(\@.+?)$/',  $email, $matches)) {
@@ -706,4 +723,3 @@ function pinserver_plus_form_alter(&$form, &$form_state, $form_id) {
   }
   return $form;
 }
-

From 1cba1a644b96571e6491ac3a3790484d64e128fa Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 14:32:15 -0500
Subject: [PATCH 03/16] Remove all non-LDAP constants and functions

---
 modules/pinserver_ldap/pinserver_ldap.module | 600 +------------------
 1 file changed, 8 insertions(+), 592 deletions(-)

diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
index 166a5fc..6c7cbc7 100644
--- a/modules/pinserver_ldap/pinserver_ldap.module
+++ b/modules/pinserver_ldap/pinserver_ldap.module
@@ -12,412 +12,10 @@ define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
 define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
 define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
 
-/**
- * These are module constants - Please do not modify these
- */
-define('PIN_URL', variable_get('pinserver_plus_pin_url', ''));  // url to pin server
-define('PIN_LANDING_PATH', variable_get('pinserver_plus_landing_path', '')); //relative path where module will redirect user after all processing complete
-define('PIN_SUPPORT_CONTACT', variable_get('pinserver_plus_support_contact', ''));  //who to contact if visitor has authentication issues
-define('PIN_AUTH_STR', variable_get('pinserver_plus_auth_str', '')); //String to check whether using just PIN or PIN with AuthzProxy
-define('PIN_HASH_HUID', variable_get('pinserver_plus_hash_huid', 0)); //Determine whether to encrypt Harvard id before passing to $_SESSION. Defaults is no.
-define('PIN_APP_NAME', variable_get('pinserver_plus_app_name', '')); //application name given by directory services
-define('PIN_TARGET', variable_get('pinserver_plus_target', '')); //application name given by directory services
-define('PIN_SALT', variable_get('pinserver_plus_salt', '')); // salt for hashing HUID
-define('PIN_IP_VAL', variable_get('pinserver_plus_ip_validation', 0)); //Validate IP address or not. Reinhard: Masha in directory services says don't validate ip. Can cause vpn/tunneling problems. 
-define('GPG_DIR', variable_get('pinserver_plus_gpg_dir', dirname(__FILE__) . '/.gnupg')); //absolute path to directory to verify detached signature
-define('GPG_BIN', variable_get('pinserver_plus_gpg_bin', '/usr/bin/gpg')); //absolute path to gpg binary
-define('GPG_ERROR_LOG', variable_get('pinserver_plus_error_log', '/tmp/gpgerror'));  //absolute path (file included) to gpp stderr output for testing
-
 module_load_include('inc', 'pinserver_plus', 'includes/pinserver_plus.api');
 
 /**
- * Implementation of hook_menu(). 
- */ 
-function pinserver_plus_menu() {
-  $path = drupal_get_path('module', 'pinserver_plus');
-  $items = array();
-  
-  $items[PIN_TARGET] = array(
-    'type' => MENU_CALLBACK,
-    'page callback' => 'pinserver_plus_checkuser',
-    'access callback' => TRUE,
-  );
-  
-  $items['pinserver_plus/error'] = array(
-    'type' => MENU_CALLBACK,
-    'title' => 'Authentication Error',
-    'page callback' => 'pinserver_plus_error',
-    'access callback' => TRUE,
-  );
-    
-  $items['admin/settings/pinserver_plus'] = array(
-    'title' => 'Pinserver Plus',
-    'description' => 'Modify Harvard Pinserver Plus configuration, access, and logging',
-    'type' => MENU_NORMAL_ITEM,
-    'weight' => 0,
-    'page callback' => 'drupal_get_form',
-    'page arguments' => array('pinserver_plus_config'),
-    'access arguments' =>  array('administer pinserver_plus'),
-    'file' => 'pinserver_plus.admin.inc',
-    'file path' => $path,
-  );
-
-  return $items;
-}
-
-/**
- * Implementation of hook_permission()
- *
- * @return array - permissions set for the pinserver_plus module
- */
-function pinserver_plus_permission() {
-  return array(
-    'administer pinserver_plus' => array(
-      'title' => t('Administer Pin server plus module'),
-      'description' => t('Administer the Pin server plus module')
-    )
-  );
-}
-
-/**
- * Implementation of hook_theme()
- */
-function pinserver_plus_theme() {
-  return array(
-    'pinserver_plus_token_error' => array(
-      'arguments' => array('values' => NULL)
-    ),
-  );
-}
-
-/**
- * Redirect user to PIN login url  
- */ 
-function pinserver_plus_redirect() {
-  $pin_redirect = PIN_URL . '?__authen_application=' . PIN_APP_NAME;
-  drupal_goto($pin_redirect);
-}
-
-/**
- * First function called after user has authenticated via pinserver_plus and returned to site
- */
-function pinserver_plus_checkuser() { // changed from pinserver_plus_check_user to pinserver_plus_checkuser, as the former looks like a hook to Coder.  BRS 2012-10-18
-
-  // First, parse and validate the PIN token.
-  $token_data = pinserver_plus_check_token();
- 
-  // If any errors are returned, redirect to an error page.
-  if (is_array($token_data) && count($token_data['errors']) > 0) {
-    $errors = implode(',', array_unique($token_data['errors']));
-    drupal_goto("pinserver_plus/error/token/$errors");
-    exit();
-  }
-  //if successful pin authentication, place the encrypted harvard uid into a session array
-  $_SESSION['pinserver_plus']['huid'] = $token_data['user_id'];
-  //add time value to session array
-  $_SESSION['pinserver_plus']['reg_time'] = REQUEST_TIME;
-  
-  
-  //hook for dynamic landing path, if no hooks fired, then use static landing path
-  $path = module_invoke_all('pinserver_plus_landing_path');
-  $landing_path = !empty($path) ? end($path) : PIN_LANDING_PATH;
-  
-  //invoke hook_pinserver after sucessful pin login and token authentication
-  module_invoke_all('pinserver');
-
-  //redirect user to landing page that was set in pinserver_plus configuration page
-  drupal_goto($landing_path);
-}
- 
-/**
- * This function prepares the unencrypted PIN v1 token for authentication.
- * @return authentication parameters and signature in a single array. 
- */  
-function pinserver_plus_prepare_pin_v1_token() {
-  $values = array();
-
-  // Collect URL parameters
-  $app = $_GET['__authen_application'];
-  $user_id = $_GET['__authen_huid'];
-  $proxy_id = "";
-  $ip = $_GET['__authen_ip'];
-  $time = $_GET['__authen_time'];
-  $pgp_signature = $_GET['__authen_pgp_signature'];
-  $pgp_version = $_GET['__authen_pgp_version'];      
-
-  // Construct the auth token from the returned URL arguments from PIN server.
-  $values['token'] = $app . "|" . $user_id . "|" . $proxy_id . "|" . $ip . "|" . $time;
-
-  // The signature is passed as is. 
-  $values['pgp_signature'] = $pgp_signature;
-  
-  // User ID is returned as a hash for safer storage.
-  $values['user_id'] = (PIN_HASH_HUID === 1) ? md5($user_id) : $user_id;
-
-  // Time must be converted into unix timestamp.  
-  $exploded_time = explode(" ", $time);
-  $values['time'] = strtotime($exploded_time[1] . " " . $exploded_time[2] . " " . $exploded_time[5] . " " . $exploded_time[3]);
-
-  // Client IP is returned as is. 
-  $values['ip'] = $ip;
-
-  // App Name is returned as is. 
-  $values['app'] = $app;
-
-  // ID type is returned as PIN. 
-  $values['login_type'] = 'PIN';
-  
-  //set appropriate good signature string for this type of token
-  $values['good_sig'] = PIN_AUTH_STR;
-
-  return $values;
-}
-
-/**
- * This function prepares the unencrypted PIN v2 token for authentication.
- * @return authentication parameters and signature in a single array. 
- */  
-function pinserver_plus_prepare_pin_v2_token($pin_parameters, $pin_signature) {
-  $values = array();
-
-  // Deconstruct parameters from the authentication token.
-  $token_array = explode($pin_parameters, '|');
-
-  // The token data is passed as is.
-  $values['token'] = $pin_parameters;
-
-  // The signature is passed as is. 
-  $values['pgp_signature'] = $pgp_signature;
-  
-  // App Name is returned as is. 
-  $values['app'] = $token_array[0];
-
-  // User ID is returned as a hash for safer storage.
-  $values['user_id'] =  (PIN_HASH_HUID === 1) ? md5($token_array[1]) : $token_array[1];
-
-  // Unused parameter proxy_id
-  // $values['proxy_id'] = $token_array[2];
-
-  // Client IP is returned as is. 
-  $values['ip'] = $token_array[3];
-
-  // Time must be converted into unix timestamp.  
-  $exploded_time = explode(" ", $token_array[4]);
-  $values['time'] = strtotime($exploded_time[1] . " " . $exploded_time[2] . " " . $exploded_time[5] . " " . $exploded_time[3]);
-
-  // Unused parameter "blank"
-  // $token_array[5]
-
-  // ID type is returned as is. 
-  $values['login_type'] = $token_array[6];
-  
-  //set appropriate good signature string for this type of token
-  $values['good_sig'] = PIN_AUTH_STR;   
-
-  return $values;
-}
-
-/**
- * pinserver_plus_check_token()
- *
- * This function serves to check all components of the returned token in compliance with the 
- * Harvard UIS procedures speficied at: http://www.pin.harvard.edu/dev-guide-token.shtml
- * It is instantiated when the user has just logged in via the Harvard PIN server and has now 
- * been returned to the Drupal site
- *
- * @return if the detached signature is deemed good, it returns "pinserver_plus_checkuser($user_id)". Otherwise
- * it prohibits the user from logging in.
- */
-function pinserver_plus_check_token() {
-
-  // Initialize the return values.
-  $return = array('errors' => array());
-
-  /*
-   * Prepare token differently depending on the token type and version
-   */
-  // Pin Token Version 2
-  if ($pin_parameters = $_GET['__authen_parameters'] && $pin_signature = $_GET['__authen_pgp_signature']) {
-    $values = pinserver_plus_prepare_pin_v2_token($pin_parameters, $pin_signature);
-  }
-  // Pin Token Version 1
-  elseif ($_GET['__authen_huid']) {
-    $values = pinserver_plus_prepare_pin_v1_token();
-  }
-  else {
-    drupal_goto("pinserver_plus/error/token/unrecognized-url");
-    exit();
-  }
-  
-  $pgp_message = "-----BEGIN PGP SIGNED MESSAGE-----" . "\n";
-  $pgp_message .= "Hash: SHA1" . "\n";
-  $pgp_message .= "\n";
-  $pgp_message .= $values['token'] . "\n";
-  $pgp_message .= "-----BEGIN PGP SIGNATURE-----" . "\n";
-  $pgp_message .= "Version: 5.0" . "\n";
-  $pgp_message .= "\n";
-  $pgp_message .= $values['pgp_signature'] . "\n";
-  $pgp_message .= "-----END PGP SIGNATURE-----" . "\n";
-
-  $stdout = "";
-  $stderr = "";
-
-  // Use gnupg to verify signature.
-  $descriptorspec = array(
-    0 => array('pipe', 'r'), // stdin
-    1 => array('pipe', 'w'), // stdout
-    2 => array('pipe', 'w') // stderr
-  );
-
-   $process = proc_open("gpg --homedir '" . GPG_DIR . "' --verify", $descriptorspec, $pipes);
-   
-  if (!is_resource($process)) {
-    $values['errors'][] = 'signature';
-    $values = implode(',', array_unique($values['errors']));
-    drupal_goto("pinserver_plus/error/token/$values");
-    exit();
-  }
-
- fwrite($pipes[0], $pgp_message);
-  fclose($pipes[0]);
-  fclose($pipes[1]);
-
-  // read stderr ;
-  while (!feof($pipes[2])) {
-    $stderr .= fgets($pipes[2], 1024);
-  }
-  fclose($pipes[2]);
-  $return_value = proc_close($process);
-
-  /** 
-   * Save errors to file if set in configuration options and file exists. 
-   * File should be placed below root, recommended only for development/testing. 
-   */
-  if (GPG_ERROR_LOG !== '') {
-    $fp = fopen(GPG_ERROR_LOG, 'w');
-    fwrite($fp, $stderr);
-    fclose($fp);
-  }
-
-  // If good signature statement is not found within gpg output 
-  // or exit code from process is not 0, then it is a bad signature. 
-  if (strpos($stderr,  $values['good_sig']) === FALSE || $return_value != 0) {
-    print "Good[{$values['good_sig']}] Mine[$stderr]";
-    $values['errors'][] = 'signature'; 
-  }
-
-  /*
-  Now that PGP Signature has been verified, all other token components
-  that require validation must be processed, as specified by the HU directory
-  services developer's manual: http://www.pin.harvard.edu/dev-guide-token.shtml
-  This includes checking the following URL parameters: 
-  1) __authen_application / "Application Id" must match the application name
-  2) __authen_ip / "Ip Address" must match the IP address of the current user
-  3) __authen_time / "Timestamp" is valid and not more than a few minutes old
-  */
-
-  // Verify application name.
-  if ($values['app'] != PIN_APP_NAME) {
-    $values['errors'][] = 'name';
-  }  
-  
-  if (PIN_IP_VAL == 1) {
-    // Verify current user's IP address.
-    if ( $values['ip'] !== $_SERVER['REMOTE_ADDR'] ) {
-      $values['errors'][] = 'ip-mismatch';
-    }
-  }
-  
-  // Verify time parameter is not longer than 2 minutes old. 
-  // The PHP abs() function converts integers to absolute values (unsigned).
-  // Subtract timestamp value sent by PIN server from the current time (on web server)
-  // 120 equals 2 minutes; could change this to 60 but no more than 180
-  if (abs($values['time'] - REQUEST_TIME) > 120) {
-    $values['errors'][] = 'time-elapsed';
-  }
-  //echo "<pre>"; print_r($values); die;
-  return $values; 
-}
-
-/**
- * Function to check system settings
- */
-function pinserver_plus_check_system_settings() {  
-  
-  $settings = array(
-  'PIN_URL' => PIN_URL,
-  'PIN_LANDING_PATH' =>  PIN_LANDING_PATH,
-  'PIN_AUTH_STR' => PIN_AUTH_STR,
-  'GPG_DIR' => GPG_DIR,
-  'GPG_BIN' => GPG_BIN,
-  );
-
-  $info = array(
-    'value' => TRUE,
-    'message' => '',
-  );
-  
-  //check to see if all settings are set
-  foreach ($settings as $key => $setting) {
-    if (empty($setting)) {
-      $missing_settings[] = strtolower($key);      
-    }    
-  }
-  if (count($missing_settings)) {
-    $message = 'ALERT: scholar pinserver_plus is missing system settings: ';
-    foreach ($missing_settings as $setting) {
-      $message .= $setting . ' ';
-    }
-    $info['value'] = FALSE;
-    $info['message'] = $message . '. ';
-  }
-
-  if (!is_dir(GPG_DIR)) {
-    $message = 'The system path for gpg_dir directory is invalid or does not exist.';
-    $info['value'] = FALSE;
-    $info['message'] .= $message;
-  }
- 
-  return $info;
-}
-
-/**
- * Log error and display message
- * @param  string $type - string to identify message type to display
- * @param  string $values - comma separated list of errors encountered
- */
-function pinserver_plus_error($type, $values) {
-  switch ($type) {
-    case 'token':
-      //log the errors
-      error_log("The pinserver_plus module has errored in processing the token in the following categories: $values");
-      return theme('pinserver_plus_token_error', explode(',', $values));
-      break;
-    default:
-      return '';
-  }
-}
-
-/**
- * theme_pinserver_plus_token_error()
- * @param  array $values - all errors that occured due to a problem with the token or token processing. 
- */
-function theme_pinserver_plus_token_error($values = NULL) {
-  $message = '<p>Communication with the Harvard PIN server failed.';
-  if (in_array('ip-mismatch', $values)) {
-    error_log("The pinserver_plus module found an ip-mismatch comparing url IP {$_GET['__authen_ip']} to remote address {$_SERVER['REMOTE_ADDR']} ");
-    $message .= ' Note: Use of a VPN or tunnel connection may cause problems with PIN authentication.';
-  }
-  $message .= ' Please ' . l('try again', PIN_URL . '?__authen_application=' . PIN_APP_NAME);
-  if (valid_email_address(PIN_SUPPORT_CONTACT)) {
-    $message .= ' or ' . l('contact us.', 'contact');
-  }
-  $message .= '.</p>';
-  return $message;
-}
-
-/**
- * Implementation of hook_pinserver().
+ * Implements hook_pinserver().
  */
 function pinserver_plus_pinserver() {
   global $user;
@@ -456,9 +54,9 @@ function pinserver_plus_pinserver() {
 }
 
 /**
- * Update existing drupal user for given Harvard PIN user.  Look up
- * harvard user in LDAP to update drupal username and email.  Should
- * only be called for old (pre August 2012) accounts before we had
+ * Updates existing drupal username and email for given Harvard PIN via LDAP.
+ *
+ * Should only be called for old (pre August 2012) accounts before we had
  * access to LDAP (when username and email were based on ugly hashed
  * huid).
  */
@@ -475,7 +73,8 @@ function update_pinuser($user, $huid) { // renamed update_pin_user to suppress C
 }
 
 /**
- * Create a new drupal user for given Harvard PIN user.
+ * Creates a new drupal user for given Harvard PIN user.
+ *
  * Look up harvard user in LDAP to create drupal username and email.
  */
 function create_pinuser($huid) { // renamed create_pin_user to suppress Coder error
@@ -494,94 +93,8 @@ function create_pinuser($huid) { // renamed create_pin_user to suppress Coder er
 }
 
 /**
- * Save new or existing pin-based drupal user to the database.
- * Check to make sure username and email are not already taken and increment if necessary.
- */
-function save_pinuser($user, $properties) { // renamed save_pin_user to suppress Coder error
-  if ( username_already_taken($properties['name']) ) {
-    $properties['name'] = increment_username($properties['name']);
-    return save_pinuser($user, $properties);
-  } 
-  elseif ( email_already_taken($properties['mail']) ) {
-    $properties['mail'] = increment_email($properties['mail']);
-    return save_pinuser($user, $properties);
-  } 
-  else {
-    return user_save($user, $properties);
-  }
-};
-
-/**
- * @TODO document
- *
- * @param $username
- * @return mixed
- */
-function username_already_taken($username) {
-  // was: return db_result(db_query("SELECT count(*) from {users} WHERE name = '%s'", $username));
-  return db_query("SELECT count(*) from {users} WHERE name = :name", array(':name' => $username))->fetchField();
-}
-
-/**
- * @TODO document
+ * Gets name and email from ldap for given huid.
  *
- * @param $email
- * @return mixed
- */
-function email_already_taken($email) {
-  // was: return db_result(db_query("SELECT count(*) from {users} WHERE mail = '%s'", $email));
-  return db_query("SELECT count(*) from {users} WHERE mail = :mail", array(':mail' => $email))->fetchField();
-}
-
-/**
- * Crude suffix generation for duplicate username handling.
- * If last characters are numbers, increment by 1 and return. If they are not, append " 1"
- */
-function increment_username($name) {
-  $matches = array();
-  if (preg_match('/^(\D+) (\d+)$/',  $name, $matches)) {
-      $base_name = $matches[1];
-      $number = $matches[2]+1;
-      return $base_name . " " . $number;
-  } 
-  else {
-    return $name . " 1";
-  }
-}
-
-/**
- * Crude suffix generation for duplicate email handling.
- * Uses plus addressing.
- * If last characters are plus sign followed by numbers, increment by 1 and return. If they are not, append "+1"
- */
-function increment_email($email) {
-  $matches = array();
-  if (preg_match('/^(.+?)\+(\d+)(\@.+?)$/',  $email, $matches)) {
-      $base_name = $matches[1];
-      $number = $matches[2]+1;
-      $domain = $matches[3];
-      return $base_name . "+" . $number . $domain;
-  } 
-  else {
-    return preg_replace("/\@/", "+1@", $email);
-  }
-}
-
-/**
- * Figure out where to redirect the user after pin authentication.
- */
-function pinserver_plus_landing_path() {
-  $landing_path = $_COOKIE['pin_dest'];
-  if ( isset($_GET['destination']) ) {
-    $landing_path=$_GET['destination'];
-    error_log("Got destination from url: " . $landing_path);
-  }
-  #error_log("Landing path: " . $landing_path);
-  return $landing_path;
-}
-
-/**
- * Get name and email from ldap for given huid.
  * TODO: move connection information to configuration. (soon!)
  */
 function get_ldap_info($huid) {
@@ -621,105 +134,8 @@ function get_ldap_info($huid) {
 }
 
 /**
- * Create an attractive drupal username based on LDAP information.
+ * Creates an attractive drupal username based on LDAP information.
  */
 function generate_username($ldap_info) {
   return $ldap_info['first'] . ' ' . $ldap_info['last'];
 }
-
-/**
- * Checks database table for user
- *
- * @param encrypted $hashed_huid
- * @return drupal user id
- */
-function pinserver_plus_check_row($hashed_huid) {
-  // was: return db_result(db_query("SELECT uid FROM {pinserver_plus} WHERE huid = '%s'", $hashed_huid));
-  return db_query("SELECT uid FROM {pinserver_plus} WHERE huid = :huid", array(':huid' => $hashed_huid))->fetchField();
-}
-
-/**
- * Adds a new row to huid to drupal user id mapping database table.
- */
-function pinserver_plus_add_row($uid, $hashed_huid = NULL) {
-  $object = new stdClass();
-  $object->uid = (int)$uid;
-  $object->huid= ($hashed_huid) ? $hashed_huid : salted_md5( pinserver_plus_get_session_huid());
-  $object->reg_time = REQUEST_TIME;
-  // was: if (!db_result(db_query("SELECT uid FROM {pinserver_plus} WHERE huid = '%s'", salted_md5( pinserver_get_session_huid())))) {
-  if (!db_query("SELECT uid FROM {pinserver_plus} WHERE huid = :huid", array(':huid' => salted_md5( pinserver_plus_get_session_huid())))->fetchField()) { // check that this is right with bang at beginning....  BRS
-    drupal_write_record('pinserver_plus', $object);
-    return TRUE;
-  }
-  return FALSE;
-}
-
-/**
- *  create md5 hash of the huid so we can securely store that semi-sensitive information.
- */
-function salted_md5($string) {
-  $dash_suffix=PIN_SALT;
-  return md5($string . $dash_suffix);
-}
-
-/**
- * Implementation of hook_form_alter : adds pinserver_plus login to the login forms.
- */
-function pinserver_plus_form_alter(&$form, &$form_state, $form_id) {
-  if ($form_id == 'user_login_block' || $form_id == 'user_login') {
-    drupal_add_css(drupal_get_path('module', 'pinserver_plus') . '/pinserver_plus.css', 'module');
-    drupal_add_js('misc/jquery.cookie.js'); // is this right?
-    drupal_add_js(array('app' => PIN_APP_NAME), 'setting');
-    drupal_add_js(array('email' => PIN_SUPPORT_CONTACT), 'setting');
-    drupal_add_js(drupal_get_path('module', 'pinserver_plus') . '/pinserver_plus.js');
-
-    if (!empty($form_state['post']['pinserver_plus_identifier'])) {
-      $form['name']['#required'] = FALSE;
-      $form['pass']['#required'] = FALSE;
-      unset($form['#submit']);
-      $form['#validate'] = array('pinserver_plus_login_validate');
-    }
-
-    $items = array();
-
-    // here's the prob. block gets cached.
-    // we could use js to set a cookie
-    // OK, that's what we're doing now (see pinserver_plus.js)
-
-    #$_SESSION['destination'] = request_uri(); //drupal_get_destination();	
-    #error_log("reinhard user.module: set SESSION destination: " . $_SESSION['destination']);
-
-    if ( PIN_APP_NAME ) {
-      // only prompt if we actually have an app registered.
-      $items[] = l(t('Log in using Harvard PIN'), 'https://www.pin1.harvard.edu/pin/authenticate?__authen_application=' . PIN_APP_NAME);
-    }
-
-    $form['pinserver_plus_links'] = array(
-      '#value' => theme('item_list', $items),
-      '#weight' => 1,
-    );
-    $form['links']['#weight'] = 10;
-
-    $form['pinserver_plus.return_to'] = array('#type' => 'hidden', '#value' => url('pinserver_plus/authenticate', array('absolute' => TRUE, 'query' => drupal_get_destination())));
-  }
-  elseif ($form_id == 'user_register' && isset($_SESSION['pinserver_plus']['values'])) {
-    // We were unable to auto-register a new user. Prefill the registration
-    // form with the values we have.
-    $form['name']['#default_value'] = $_SESSION['pinserver_plus']['values']['name'];
-    $form['mail']['#default_value'] = $_SESSION['pinserver_plus']['values']['mail'];
-    // If user_email_verification is off, hide the password field and just fill
-    // with random password to avoid confusion.
-    if (!variable_get('user_email_verification', TRUE)) {
-      $form['pass']['#type'] = 'hidden';
-      $form['pass']['#value'] = user_password();
-    }
-    $form['auth_pinserver_plus'] = array('#type' => 'hidden', '#value' => $_SESSION['pinserver_plus']['values']['auth_pinserver_plus']);
-    $form['pinserver_plus_display'] = array(
-      '#type' => 'item',
-      '#title' => t('Your Pinserver Plus'),
-      '#description' => t('This Pinserver Plus will be attached to your account after registration.'),
-      '#value' => check_plain($_SESSION['pinserver_plus']['values']['auth_pinserver_plus']),
-    );
-  }
-  return $form;
-}

From 66b36cf46d3756d22d8e3cbcadff656b8989b5ca Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 14:34:45 -0500
Subject: [PATCH 04/16] Remove readme

---
 README.md | 46 ----------------------------------------------
 1 file changed, 46 deletions(-)
 delete mode 100644 README.md

diff --git a/README.md b/README.md
deleted file mode 100644
index c7e99f7..0000000
--- a/README.md
+++ /dev/null
@@ -1,46 +0,0 @@
-## About
-
-A Drupal module that servers as an interface between [Harvard University PIN system](http://www.pin.harvard.edu/)
-and Drupal applications / websites. The purpose of this module is to encapsulate low level details of
-PIN and provide and set of APIs for drupal developers.
-
-The module was developed for and it's part of [OpenScholar](http://openscholar.harvard.edu)
-distribution but does not depend on OpenScholar and can be used in any Drupal installation.
-
-
-## Install
-
-In order to get a working PIN application on a Drupal site, you will need to:
-
-1. [Install the module](http://drupal.org/documentation/install/modules-themes)
-2. [Register as a PIN2 customer](http://reference.pin.harvard.edu/dev-registration)
-3. [Download and install GPG](http://www.gnupg.org/download/index.en.html)
-4. [Create a GPG key on your server](http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.1)
-5. [Import the Harvard PIN public key](http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.3)
-6. Send your public GPG key to directory_services@harvard.edu
-7. Configure your GPG and Harvard PIN application info at /admin/settings/pinserver
-8. Additionally enable the pinserver_authenticate module to allow login via pin
-
-Note: This module currently only implements Harvard PIN API version 1 and
-version 2. There is currently no support in this module for Oracle Access
-Manager (Harvard PIN API version 3).
-
-For more information about developing with PIN, see the
-[Harvard PIN Customer Guide](http://reference.pin.harvard.edu/dev-overview)
-or the Harvard PIN2 [Developer Resources PDF](http://reference.pin.harvard.edu/sites/reference.pin.harvard.edu/files/PIN2%20Developer%20Resources.pdf)
-
-## Contribute
-
-* Write help and docs in our [wiki](https://github.com/openscholar/pinserver/wiki)
-* Submit a bug or ask for support at our [issue queue](https://github.com/openscholar/pinserver/issues)
-* Contribute with bug fixes and new features by sending us pull requests
-
-
-## Credits
-
-Joe Weiner [@jjweiner](https://github.com/jjweiner), Richard Brandon [@rbran100](https://github.com)
-, Shane Dupree [@shanedupree](https://github.com/shanedupree), 
-Oren Robinson [@baisong](https://github.com/baisong), Seth Gregory, Blaise Freeman, Matt Petrovic [@mpetrovic](https://github.com),
-Ferdi Alimadhi [@Ferdi](https://github.com/Ferdi) for their contribution with code and/or ideas.
-
-Special thanks to [IQSS](http://iq.harvard.edu) and [HWP](http://hwp.harvard.edu) for supporting our work.

From be2797964de51cb5bca2ba00e78d0e459016f001 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 14:37:49 -0500
Subject: [PATCH 05/16] remove duplicate api.inc file

---
 includes/pinserver.api.inc                   | 105 -------------------
 modules/pinserver_ldap/pinserver_ldap.module |   2 -
 2 files changed, 107 deletions(-)
 delete mode 100644 includes/pinserver.api.inc

diff --git a/includes/pinserver.api.inc b/includes/pinserver.api.inc
deleted file mode 100644
index cf32eb5..0000000
--- a/includes/pinserver.api.inc
+++ /dev/null
@@ -1,105 +0,0 @@
-<?php
-
-/**
- * Returns TRUE user has logged in through pinserver.
- *
- * @param int $timeout
- * - Desired maximum session length, in seconds. Use FALSE for no timeout.
- *
- * @return bool
- */
-function pinserver_check_status($timeout = FALSE) {
-
-  // Verifies that the current user has a valid token with reg_time & HUID.
-  if ($user = pinserver_get_user_huid()) {
-    // Immediately returns TRUE if there is no timeout set.
-    if (!$timeout) {
-      return TRUE;
-    }
-
-    // Otherwise, only returns TRUE if we are before the timeout time.
-    $pin_user = pinserver_get_user();
-    if (time() < ($pin_user['reg_time'] + $timeout)) {
-      return TRUE;
-    }
-  }
-  return FALSE;
-}
-
-/**
- * Checks if user is Harvard employee based on pinserver variable.
- *
- * @return string or FALSE
- */
-function pinserver_is_harvard_employee() {
-
-  if($user = pinserver_get_user() && isset($user['harvard_employee'])){
-    return $user['harvard_employee'];
-  }
-
-  return FALSE;
-}
-
-/**
- * Returns the current pinserver user.
- *
- * @param $user
- * The pin user to set as logged in.
- *
- * @param $use_session
- * Should this pin user be stored in the session.
- */
-function pinserver_get_user($user = false, $set_session = false) {
-  $pin_user = &drupal_static(__FUNCTION__);
-
-  if ($user) {
-    $pin_user = $user;
-
-    if (isset($_SESSION['pinserver']) || $set_session) {
-      $_SESSION['pinserver'] = $user;
-    }
-  }
-  elseif (empty($pin_user) && !empty($_SESSION['pinserver'])) {
-    $pin_user = $_SESSION['pinserver'];
-  }
-
-  return $pin_user;
-}
-
-/**
- * Returns the huid of the logged-in pinserver user.
- */
-function pinserver_get_user_huid() {
-
-  if(($user = pinserver_get_user()) && isset($user['huid'])){
-    return $user['huid'];
-  }
-
-  return FALSE;
-}
-
-/**
- * Remove session values set after successful pinserver login.
- */
-function pinserver_remove_session() {
-  // Remove session values.
-  if (isset($_SESSION['pinserver'])) {
-    unset($_SESSION['pinserver']);
-  }
-}
-
-/**
- * Create a user and set them as logged in using token data.
- */
-function pinserver_add_user_from_token($token_data, $use_session = FALSE){
-
-  // Places encrypted harvard uid into session array.
-  $pin_user['huid'] = $token_data['user_id'];
-  $pin_user['reg_time'] = time();
-
-  if(isset($token_data['department']) && !empty($token_data['department'])) {
-    $pin_user['harvard_employee'] = $token_data['department'];
-  }
-
-  pinserver_get_user($pin_user, $use_session);
-}
\ No newline at end of file
diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
index 6c7cbc7..872c237 100644
--- a/modules/pinserver_ldap/pinserver_ldap.module
+++ b/modules/pinserver_ldap/pinserver_ldap.module
@@ -12,8 +12,6 @@ define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
 define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
 define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
 
-module_load_include('inc', 'pinserver_plus', 'includes/pinserver_plus.api');
-
 /**
  * Implements hook_pinserver().
  */

From b31181980e72f0780afecfed6f39bde60c6874f1 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 14:38:07 -0500
Subject: [PATCH 06/16] remove non-LDAP settings from admin form builder

---
 .../pinserver_ldap/pinserver_ldap.admin.inc   | 136 +++---------------
 1 file changed, 22 insertions(+), 114 deletions(-)

diff --git a/modules/pinserver_ldap/pinserver_ldap.admin.inc b/modules/pinserver_ldap/pinserver_ldap.admin.inc
index a5032b9..402c5f8 100644
--- a/modules/pinserver_ldap/pinserver_ldap.admin.inc
+++ b/modules/pinserver_ldap/pinserver_ldap.admin.inc
@@ -1,130 +1,38 @@
 <?php
 
-//@file pinserver_plus.admin.inc
-
 /**
- * pinserver_plus_config()
- *
- * @return array - returns form for pinserver_plus administrative settings
+ * @file
+ * Includes settings form builder.
  */
-function pinserver_plus_config() {
-  global $base_url;
-
-  $form['pinserver_plus'] = array(
-  '#type' => 'fieldset',
-  '#title' => t('Harvard Pinserver Plus Configuration'),
-  '#collapsible' => TRUE,
-  '#collapsed' => FALSE,
-  );
-
-  $form['pinserver_plus']['pinserver_plus_pin_url'] = array(
-  '#type' => 'textfield',
-  '#required' => TRUE,
-  '#title' => t('Harvard PIN Server URL'),
-  '#default_value' => variable_get('pinserver_plus_pin_url', ''),
-  '#description' => t('Enter PIN server URL. For example: https://www.pin1.harvard.edu/pin/authenticate'),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_app_name'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard PIN server application name'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_app_name', ''),
-  '#description' => t('Enter the application name given to you by Harvard Directory Services.' ),
-  );
 
-  $form['pinserver_plus']['pinserver_plus_target'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard PIN server target path'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_target', ''),
-  '#description' => t('Enter the path given to you by Harvard Directory Services, e.g. "pinserver/auth".' ),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_salt'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard PIN server salt'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_salt', ''),
-  '#description' => t('Enter the salt used to encode HUIDs.' ),
-  );
+/**
+ * Settings form builder for LDAP configuration.
+ */
+function pinserver_ldap_settings_form() {
 
   $form['pinserver_plus']['pinserver_plus_ldap_url'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard LDAP URL'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_ldap_url', ''),
-  '#description' => t('Enter the LDAP URL given to you by Harvard Directory Services, something like "ldaps://hu-ldap.harvard.edu".' ),
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP URL'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_url', ''),
+    '#description' => t('Enter the LDAP URL given to you by Harvard Directory Services, something like "ldaps://hu-ldap.harvard.edu".' ),
   );
 
   $form['pinserver_plus']['pinserver_plus_ldap_user'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard LDAP user string'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_ldap_user', ''),
-  '#description' => t('Enter the LDAP user string given to you by Harvard Directory Services, something like "uid=xyzzy,ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu".' ),
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP user string'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_user', ''),
+    '#description' => t('Enter the LDAP user string given to you by Harvard Directory Services, something like "uid=xyzzy,ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu".' ),
   );
 
   $form['pinserver_plus']['pinserver_plus_ldap_password'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Harvard LDAP password'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_ldap_password', ''),
-  '#description' => t('Enter the LDAP password given to you by Harvard Directory Services.' ),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_gpg_dir'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Host server path to public key directory'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_gpg_dir', ''),
-  '#description' => t('Enter the absolute path to the GPG directory on your web server where the PIN Server or AuthProxy public key information is stored.' ),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_landing_path'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Landing Path'),
-  '#required' => TRUE,
-  '#default_value' => variable_get('pinserver_plus_landing_path', ''),
-  '#description' => t('Specify the path to redirect the user after all pinserver_plus module processing is complete. Use a relative path that comes after !base_url' . '/', array('!base_url' => $base_url)),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_auth_str'] = array(
-  '#type' => 'radios',
-  '#title' => t('PIN Authentication Server Setup'),
-  '#default_value' => variable_get('pinserver_plus_auth_str', ''),
-  '#options' => array(
-  'Good signature from "Harvard University PIN System' => t('PIN only'),
-  'Good signature from "authzproxy"' => t('PIN with AuthProxy'),
-  ),
-  '#required' => TRUE,
-  '#description' => t('The server that is returning the user back to this site after successful PIN login.'),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_support_contact'] = array(
-  '#type' => 'textfield',
-  '#title' => t('E-mail address for technical support'),
-  '#required' => FALSE,
-  '#default_value' => variable_get('pinserver_plus_support_contact', ''),
-  '#description' => t('Optionally specify contact person to be displayed to user if PIN authentication fails.'),
-  );
-
-  //pinsever GPG logging fields
-
-  $form['pinserver_plus_logging'] = array(
-  '#type' => 'fieldset',
-  '#title' => t('Harvard Pinserver Plus Logging'),
-  '#collapsible' => TRUE,
-  '#collapsed' => FALSE,
-  );
-
-  $form['pinserver_plus_logging']['pinserver_plus_error_log'] = array(
-  '#type' => 'textfield',
-  '#title' => t('Text file to use for logging GPG stderror output'),
-  '#required' => FALSE,
-  '#default_value' => variable_get('pinserver_plus_error_log', ''),
-  '#description' => t('Optionally specify full filename and path from server\'s root directory (not the website\'s root directory). The file should always be below the root directory, and it is recommended only for development sites. Leave blank to disable. Include the first / to indicate the root directory of the webserver.'),
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP password'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_password', ''),
+    '#description' => t('Enter the LDAP password given to you by Harvard Directory Services.' ),
   );
 
   return system_settings_form($form);
-}
\ No newline at end of file
+}

From f5fd3fa9dcaf3af3e364465405ee1191d4bf6d4e Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Tue, 4 Feb 2014 15:06:41 -0500
Subject: [PATCH 07/16] Further paring down

---
 modules/pinserver_ldap/pinserver_ldap.module | 151 ++++++-------------
 1 file changed, 44 insertions(+), 107 deletions(-)

diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
index 872c237..a7f0fa0 100644
--- a/modules/pinserver_ldap/pinserver_ldap.module
+++ b/modules/pinserver_ldap/pinserver_ldap.module
@@ -6,129 +6,66 @@
  */
 
 /**
- * LDAP constants.
- */
-define('PIN_LDAP_URL', variable_get('pinserver_plus_ldap_url', ''));
-define('PIN_LDAP_USER', variable_get('pinserver_plus_ldap_user', ''));
-define('PIN_LDAP_PASSWORD', variable_get('pinserver_plus_ldap_password', ''));
-
-/**
- * Implements hook_pinserver().
- */
-function pinserver_plus_pinserver() {
-  global $user;
-  $huid = pinserver_plus_get_session_huid();
-  $hashed_huid = salted_md5($huid);
-  $uid = pinserver_plus_check_row($hashed_huid);
-  if (strlen($hashed_huid) && strlen($uid)) {
-    error_log("We already have a drupal user corresponding to this hashed huid."); 
-    $user = user_load($uid);
-    error_log("Hashed HUID: " . $hashed_huid . " -> Drupal UID: " . $uid);
-    if ( $user->name == $hashed_huid ) {
-      error_log("Drupal username looks like a hashed huid... let's update it with LDAP info.");
-      update_pinuser($user, $huid);
-    }
-  } 
-  else {
-    error_log("We haven't seen this huid before: " . $huid);
-    error_log("Let's create a new drupal account for it...");
-    $user = create_pinuser($huid);
-    error_log("Great. Now let's record the mapping between these 2 ids so we can reuse it next time.");
-    error_log("Hashed HUID: " . $hashed_huid . " -> Drupal UID: " . $user->uid);
-    pinserver_plus_add_row($user->uid, $hashed_huid);
-  }
-  // Update the user table timestamp noting user has logged in.
-  // This is also used to invalidate one-time login links.
-  $user->login = REQUEST_TIME;
-  // was: db_query("UPDATE {users} SET login = %d WHERE uid = %d", $user->login, $user->uid);
-  db_update('users')
-    ->fields(array('login' => $user->login))
-    ->condition('uid', $user->uid)
-    ->execute();
-  // Regenerate the session ID to prevent against session fixation attacks.
-  drupal_session_regenerate();
-  // Remove pinserver session variables
-  pinserver_plus_remove_session();
-}
-
-/**
- * Updates existing drupal username and email for given Harvard PIN via LDAP.
+ * Gets name and email from ldap for given HUID.
  *
- * Should only be called for old (pre August 2012) accounts before we had
- * access to LDAP (when username and email were based on ugly hashed
- * huid).
- */
-function update_pinuser($user, $huid) { // renamed update_pin_user to suppress Coder error
-  $ldapinfo = get_ldap_info($huid);
-  $new_username = generate_username($ldapinfo);
-  return save_pinuser(
-    $user,
-    array(
-      'name' => $new_username, //'somename',
-      'mail' => $ldapinfo['email'],
-    )
-  );
-}
-
-/**
- * Creates a new drupal user for given Harvard PIN user.
+ * @param int $huid
+ *   A given user's Harvard HUID.
+ *
+ * @throws Exception
  *
- * Look up harvard user in LDAP to create drupal username and email.
+ * @return array $info
+ *   An indexed array containing:
+ *   - success: TRUE only if there were no errors connecting/binding/querying
+ *   the LDAP server.
+ *   - errors: An array containing any (string) error messages encountered.
+ *   - entries: An indexed array with keys equal to LDAP attribute names,
+ *   and values as arrays containing any value(s) found from the search.
  */
-function create_pinuser($huid) { // renamed create_pin_user to suppress Coder error
-  $ldapinfo = get_ldap_info($huid);
-  $new_username = generate_username($ldapinfo);
-  return save_pinuser(
-    new stdClass(),
-    array(
-      'name' => $new_username, //'somename',
-      'pass' => user_password(),
-      'mail' => $ldapinfo['email'],
-      'roles' => array(),
-      'status' => 1,
-    )
+function pinserver_ldap_attributes_from_huid($huid) {
+  $info = array(
+    'success' => FALSE,
   );
-}
+  $url = variable_get('pinserver_ldap_url', '');
+  $username = variable_get('pinserver_ldap_username', '');
+  $password = variable_get('pinserver_ldap_password', '');
+
+  #error_log("Host: " . $_SERVER['HTTP_HOST']);
+  #error_log("Getting ldap info from " . $url);
 
-/**
- * Gets name and email from ldap for given huid.
- *
- * TODO: move connection information to configuration. (soon!)
- */
-function get_ldap_info($huid) {
-  $ldap_info = array();
-  error_log("Host: " . $_SERVER['HTTP_HOST']);
-  $url = PIN_LDAP_URL;
-  error_log("Getting ldap info from " . $url);
-  $username = PIN_LDAP_USER;
-  $password = PIN_LDAP_PASSWORD;
   ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
   $ds = ldap_connect($url);
-  if ( !$ds ) {
-    throw new Exception("Couldn't connect to LDAP.");
+  if (!$ds) {
+    $info['errors'][] = t("Couldn't connect to LDAP.");
+    return $info;
   }
+
   ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
   ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); 
   $db = ldap_bind($ds, $username, $password);
-  if (! $db) {
-    throw new Exception("Couldn't bind to LDAP.");
+  if (!$db) {
+    $info['errors'][] = t("Couldn't bind to LDAP.");
+    return $info;
   }
-  $search_dn     = "ou=people, o=Harvard University Core, dc=huid, dc=harvard, dc=edu";
-  $search_filter =  "(&(harvardeduidnumber=" . $huid . "))";
-  $sr=ldap_search($ds, $search_dn, $search_filter);  
+
+  $search_dn = "ou=people, o=Harvard University Core, dc=huid, dc=harvard, dc=edu";
+  $search_filter = "(&(harvardeduidnumber=" . $huid . "))";
+  $sr = ldap_search($ds, $search_dn, $search_filter);
+  if ($sr === FALSE) {
+    $info['errors'][] = t('An error occurred while attempting to search LDAP.');
+    return $info;
+  }
+  $info['success'] = TRUE;
+
   #echo "\nSearch result is " . $sr . "<br />";
   #echo "\nNumber of entries returned is " . ldap_count_entries($ds, $sr) . "<br />";
-  $info = ldap_get_entries($ds, $sr);
+
+  $entries = ldap_get_entries($ds, $sr);
+  $info['entries'] = $entries;
+
   #echo "\nData for " . $info["count"] . " items returned:<p>";
   #var_dump($info);
-  for ($i=0; $i<$info["count"]; $i++) {
-    $ldap_info['last']   = $info[$i]["sn"][0];
-    $ldap_info['first']  = $info[$i]["givenname"][0];
-    $ldap_info['middle'] = $info[$i]["harvardedumiddlename"][0];
-    $ldap_info['email']  = $info[$i]["mail"][0];
-  }
-  error_log("Got this info: " . $ldap_info['last']);
-  return $ldap_info;
+
+  return $info;
 }
 
 /**

From 55c676061374bef1c4a401e30cd1d58f3a924a6c Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:22:30 -0500
Subject: [PATCH 08/16] Add new LDAP settings to pinserver config form.

---
 pinserver.admin.inc | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/pinserver.admin.inc b/pinserver.admin.inc
index 5202d7f..6835ce0 100644
--- a/pinserver.admin.inc
+++ b/pinserver.admin.inc
@@ -110,8 +110,7 @@ function pinserver_config() {
   );
 
 
-  //pinsever GPG logging fields
-
+  // Pinsever GPG logging fields
   $form['pinserver_logging'] = array(
     '#type' => 'fieldset',
     '#title' => t('Harvard Pinserver Logging'),
@@ -139,5 +138,37 @@ function pinserver_config() {
     '#description' => t('Optionally specify full filename and path from server\'s root directory (not the website\'s root directory). The file should always be below the root directory, and it is recommended only for development sites. Include the first / to indicate the root directory of the webserver.'),
   );
 
+  // Pinserver LDAP fields.
+  $form['pinserver_ldap'] = array(
+    '#type' => 'fieldset',
+    '#title' => t('Harvard Pinserver LDAP'),
+    '#collapsible' => TRUE,
+    '#collapsed' => TRUE,
+  );
+
+  $form['pinserver_ldap']['pinserver_plus_ldap_hostname'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP hostname'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_hostname, ''),
+    '#description' => t('Enter the LDAP URL given to you by Harvard Directory Services, something like "ldaps://hu-ldap.harvard.edu".' ),
+  );
+
+  $form['pinserver_ldap']['pinserver_plus_ldap_uid'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP user string'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_uid', ''),
+    '#description' => t('Enter the LDAP uid given to you by Harvard Directory Services.'),
+  );
+
+  $form['pinserver_ldap']['pinserver_plus_ldap_bind_password'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Harvard LDAP password'),
+    '#required' => TRUE,
+    '#default_value' => variable_get('pinserver_plus_ldap_bind_password', ''),
+    '#description' => t('Enter the LDAP password given to you by Harvard Directory Services.' ),
+  );
+
   return system_settings_form($form);
 }

From e41aef0969759ec72364ffa9b6f6682ab745161b Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:22:40 -0500
Subject: [PATCH 09/16] Remove submodule.

---
 modules/pinserver_ldap/README.md              | 40 ----------
 .../includes/pinserver_ldap.api.inc           | 64 ----------------
 .../pinserver_ldap/pinserver_ldap.admin.inc   | 38 ----------
 modules/pinserver_ldap/pinserver_ldap.info    |  6 --
 modules/pinserver_ldap/pinserver_ldap.install | 67 ----------------
 modules/pinserver_ldap/pinserver_ldap.js      | 74 ------------------
 modules/pinserver_ldap/pinserver_ldap.module  | 76 -------------------
 7 files changed, 365 deletions(-)
 delete mode 100644 modules/pinserver_ldap/README.md
 delete mode 100644 modules/pinserver_ldap/includes/pinserver_ldap.api.inc
 delete mode 100644 modules/pinserver_ldap/pinserver_ldap.admin.inc
 delete mode 100644 modules/pinserver_ldap/pinserver_ldap.info
 delete mode 100644 modules/pinserver_ldap/pinserver_ldap.install
 delete mode 100644 modules/pinserver_ldap/pinserver_ldap.js
 delete mode 100644 modules/pinserver_ldap/pinserver_ldap.module

diff --git a/modules/pinserver_ldap/README.md b/modules/pinserver_ldap/README.md
deleted file mode 100644
index 26a05b8..0000000
--- a/modules/pinserver_ldap/README.md
+++ /dev/null
@@ -1,40 +0,0 @@
-This is a Drupal 7 module for allowing HUID login.  It is an
-adaptation of the Drupal 6 module pinserver, from IQSS, 
-and pinserver\_osc by Reinhard Engels.  Note that although this module
-works, it is not currently in use on a production site.  The Drupal 6
-two-module predecessor to this one is working on the Office for
-Scholarly Communication's sites, however.
-
-This module implements PIN 1 and 2, but not 3.
-
-A D7 version of pinserver is at
-https://github.com/openscholar/pinserver.  A later version of this
-module may break out the additional functionality in order to take
-advantage of the current IQSS module.
-
-Installation
-------------
-
-    cd sites/all/modules/
-    git clone git@git.huit.harvard.edu:pin-server-module-for-drupal-7/pinserver_plus.git
-    drush en pinserver_plus
-
-Or enable the module in the UI.
-
-Configuration
--------------
-
-Go to http://yoursite/#overlay=admin/settings/pinserver_plus.  You will need an
-application name and target, GPG, and LDAP login credentials.  Instructions are 
-linked at https://github.com/openscholar/pinserver/blob/7.x-3.x/README.md. 
-
-The salt is added to the HUID when creating a hash.  In the case of
-the OSC, this had to match the salt used in DASH, so Drupal users
-could be mapped to DASH users.  Your application may vary.
-
-TODO
-----
-
-- Put search string in configuration
-- Add facility for putting HUID users in a role?
-- Take some or all config out of UI?
diff --git a/modules/pinserver_ldap/includes/pinserver_ldap.api.inc b/modules/pinserver_ldap/includes/pinserver_ldap.api.inc
deleted file mode 100644
index 7f17732..0000000
--- a/modules/pinserver_ldap/includes/pinserver_ldap.api.inc
+++ /dev/null
@@ -1,64 +0,0 @@
-<?php
-
-/**
- * @file
- * API functions for the Pinserver_Plus Plus module.
- * 
- */
-
-/**
- * API function - Checks if user can access registration form by checking $_SESSION values
- * The $_SESSION values are only set when a user succesfully 
- * @return unknown
- */
-function pinserver_plus_check_status() {
-  global $user;
-  
-  //allow admin to access the form
-  if ($user->uid == '1') {
-    //return TRUE; // for testing purposes
-  }  
-  if (isset($_SESSION['pinserver_plus']['reg_time']) && isset($_SESSION['pinserver_plus']['huid'])) {
-    return $reg_time =  ((REQUEST_TIME - (int)$_SESSION['pinserver_plus']['reg_time']) < 120) ? TRUE : FALSE;
-  }
-  return FALSE;
-}
-
-/**
- * API function - Return all session values (set after successful pinserver_plus login)
- */
-function pinserver_plus_get_session() {
-  //returns array with pinserver_plus session values if not empty  
-  if (!empty($_SESSION['pinserver_plus'])) {
-    foreach ($_SESSION['pinserver_plus'] as $key => $val) {
-      $session_values['key'] = $val;          
-    } 
-    return $session_values;   
-  }
-  else {
-    return FALSE;
-  }
-}
-
-/**
- * API function - Returns huid (set after successful pinserver_plus login)
- */
-function pinserver_plus_get_session_huid() {
-  //returns array with pinserver_plus session values
-  if ($_SESSION['pinserver_plus']['huid']) {
-    return $_SESSION['pinserver_plus']['huid'];
-  }
-  else {
-    return FALSE;
-  }
-}
-
-/**
- * API function - Remove session values set after successful pinserver_plus login
- */
-function pinserver_plus_remove_session() {
-  //removing session values when new site is created
-  if (isset($_SESSION['pinserver_plus'])) {
-    unset($_SESSION['pinserver_plus']);
-  }
-}
\ No newline at end of file
diff --git a/modules/pinserver_ldap/pinserver_ldap.admin.inc b/modules/pinserver_ldap/pinserver_ldap.admin.inc
deleted file mode 100644
index 402c5f8..0000000
--- a/modules/pinserver_ldap/pinserver_ldap.admin.inc
+++ /dev/null
@@ -1,38 +0,0 @@
-<?php
-
-/**
- * @file
- * Includes settings form builder.
- */
-
-/**
- * Settings form builder for LDAP configuration.
- */
-function pinserver_ldap_settings_form() {
-
-  $form['pinserver_plus']['pinserver_plus_ldap_url'] = array(
-    '#type' => 'textfield',
-    '#title' => t('Harvard LDAP URL'),
-    '#required' => TRUE,
-    '#default_value' => variable_get('pinserver_plus_ldap_url', ''),
-    '#description' => t('Enter the LDAP URL given to you by Harvard Directory Services, something like "ldaps://hu-ldap.harvard.edu".' ),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_ldap_user'] = array(
-    '#type' => 'textfield',
-    '#title' => t('Harvard LDAP user string'),
-    '#required' => TRUE,
-    '#default_value' => variable_get('pinserver_plus_ldap_user', ''),
-    '#description' => t('Enter the LDAP user string given to you by Harvard Directory Services, something like "uid=xyzzy,ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu".' ),
-  );
-
-  $form['pinserver_plus']['pinserver_plus_ldap_password'] = array(
-    '#type' => 'textfield',
-    '#title' => t('Harvard LDAP password'),
-    '#required' => TRUE,
-    '#default_value' => variable_get('pinserver_plus_ldap_password', ''),
-    '#description' => t('Enter the LDAP password given to you by Harvard Directory Services.' ),
-  );
-
-  return system_settings_form($form);
-}
diff --git a/modules/pinserver_ldap/pinserver_ldap.info b/modules/pinserver_ldap/pinserver_ldap.info
deleted file mode 100644
index f4fe474..0000000
--- a/modules/pinserver_ldap/pinserver_ldap.info
+++ /dev/null
@@ -1,6 +0,0 @@
-; $Id$
-name = Pinserver Plus
-description = Maps a Pinserver HUID account to a Drupal account so you can log in.
-package = Harvard PIN Authentication
-core = 7.x
-files[] = includes/pinserver_plus.api.inc
diff --git a/modules/pinserver_ldap/pinserver_ldap.install b/modules/pinserver_ldap/pinserver_ldap.install
deleted file mode 100644
index b933b9f..0000000
--- a/modules/pinserver_ldap/pinserver_ldap.install
+++ /dev/null
@@ -1,67 +0,0 @@
-<?php
-
-/**
-* @file
-* Pinserver Plus install hooks
-*
-*/
-
-/**
-* Implementation of hook_uninstall()
-*/
-function pinserver_plus_install() {
-  // nothing to do here
-}
-
-/**
-* Implementation of hook_uninstall()
-*/
-function pinserver_plus_uninstall() {
-
-  //remove pinserver plus administrative system variables
-  variable_del('pinserver_plus_pin_url');
-  variable_del('pinserver_plus_app_name');
-  variable_del('pinserver_plus_gpg_dir');
-  variable_del('pinserver_plus_landing_path');
-  variable_del('pinserver_plus_hash_huid');
-  variable_del('pinserver_plus_support_contact');
-  variable_del('pinserver_plus_enable_logging');
-  variable_del('pinserver_plus_error_log');  
-
-//remove other pinserver plus variables
-  variable_del('pinserver_plus_ip_validation');
-  variable_del('pinserver_plus_gpg_bin');  
-}
-
-/**
- * Implementation of hook_schema().
- */
-function pinserver_plus_schema() {
-  $schema['pinserver_plus'] = array(
-    'description' => 'Maps unique encrypted HUID identifier to Drupal user ID',
-    'fields' => array(
-      'uid' => array(
-        'description' => 'Drupal user ID',
-        'type' => 'int',
-        'not null' => TRUE,
-        'default' => 0,
-      ),
-      'huid' => array(
-        'description' => "Holds the Harvard ID of returning users",
-        'type' => 'varchar',
-        'length' => 255,
-        'not null' => TRUE,
-        'default' => '',
-      ),
-      'reg_time' => array(
-        'description' => "The time of user registration",
-        'type' => 'int',
-      ),
-    ),
-    'unique keys' => array(
-      'huid' => array('huid'),
-    ),
-    'primary key' => array( 'uid') ,
-  );
-  return $schema;
-}
diff --git a/modules/pinserver_ldap/pinserver_ldap.js b/modules/pinserver_ldap/pinserver_ldap.js
deleted file mode 100644
index 9e4432b..0000000
--- a/modules/pinserver_ldap/pinserver_ldap.js
+++ /dev/null
@@ -1,74 +0,0 @@
-(function ($) {
-
-// global PIN object.
-
-PIN = {};
-PIN.swapId= "content-area";
-PIN.loginFormId="user-login";
-PIN.drupalHtml="";
-
-PIN.createCookie = function(name,value,days) {
-    if (days) {
-	var date = new Date();
-	date.setTime(date.getTime()+(days*24*60*60*1000));
-	var expires = "; expires="+date.toGMTString();
-    } else {
-	var expires = "";
-    }
-    document.cookie = name+"="+value+expires+"; path=/";
-};
-
-PIN.drupalLogin = function(){
-    $('#' + PIN.swapId).html(PIN.drupalHtml);
-};
-
-PIN.gotoPin =function(){
-    // app should be set in Drupal
-    document.location = "https://www.pin1.harvard.edu/pin/authenticate?__authen_application="+Drupal.settings.app;
-};
-
-PIN.chooseLogin = function() {
-    // email should be set in Drupal
-    //alert("chooseLogin:  " + window.location.hostname);
-    var pin_dest =  document.location.href;
-    // extract node url from login url
-    pin_dest = pin_dest.replace("/user/login?destination=","/").replace("%2F","/");
-    //$.cookie("pin_dest",pin_dest, {path: '/'});
-    PIN.createCookie("pin_dest",pin_dest,1); // drupal js api.
-    if ( $('#'+PIN.swapId).length === 0 ) {
-	PIN.swapId = "pinLoginDiv";
-	$('#'+PIN.loginFormId).wrap('<div id=\"' + PIN.swapId + '" />');
-	//alert("Yeah, dude!");
-    }
-    //alert("Hi Reinhard 2: " + PIN.swapId + " NOW length: " + $('#'+PIN.swapId).length);
-    PIN.drupalHtml=$('#'+PIN.swapId).html();
-    //alert("drupalHtml: " + PIN.drupalHtml);
-    var html="";
-    html += "<div xmlns=\"http:\/\/di.tamu.edu\/DRI\/1.0\/\" style=\"align:center; text-align: center; width:40%; margin:10px; padding:12px; float:left; border:1px solid #CDCDCD; position: relative;\"> ";
-    html += "<form method=\"GET\"> ";
-    html += "<button type=\"button\" onclick=\"PIN.gotoPin()\">Login with HUID and PIN<\/button> ";
-    html += "<\/form> ";
-    html += "<div style=\"text-align: left;\"> ";
-    html += "<p>Are you a Harvard Affiliate with Harvard University ID (HUID) and PIN?<\/p>";
-    html += "<p>Please click the button above to access this site.<\/p>";
-    html += "<p>For more information, please see";
-    html += "<a href=\"http:\/\/www.pin.harvard.edu\/login-help.shtml\"> ";
-    html += "the PIN Login help page<\/a>.<\/p> ";
-    html += "<\/div> ";
-    html += "<\/div> ";
-    html += "<div style=\"align:center; text-align: center; width:40%; margin:10px; padding:12px; float:left; border:1px solid #CDCDCD; position: relative;\"> ";
-    html += "<form method=\"GET\" action=\"\"> ";
-    html += "<button type=\"button\" onclick=\"PIN.drupalLogin()\">Login with Password<\/button> ";
-    html += "<\/form> ";
-    html += "<div style=\"text-align: left;\"> ";
-    html += "<p>Not a Harvard Affiliate?</p><p>Please <a href=\"mailto:" + Drupal.settings.email + "\">contact us<\/a> to obtain login credentials, then click the button above.</p>";
-    html += "<\/p> ";
-    html += "<\/div> ";
-    html += "<\/div> ";
-    $('#'+PIN.swapId).html(html);    	
-};
-
-$(document).ready(function() {
-	PIN.chooseLogin();
-    });
-})(jQuery);
diff --git a/modules/pinserver_ldap/pinserver_ldap.module b/modules/pinserver_ldap/pinserver_ldap.module
deleted file mode 100644
index a7f0fa0..0000000
--- a/modules/pinserver_ldap/pinserver_ldap.module
+++ /dev/null
@@ -1,76 +0,0 @@
-<?php
-
-/**
- * @file
- * Integrates Harvard PIN LDAP attributes with pinserver module.
- */
-
-/**
- * Gets name and email from ldap for given HUID.
- *
- * @param int $huid
- *   A given user's Harvard HUID.
- *
- * @throws Exception
- *
- * @return array $info
- *   An indexed array containing:
- *   - success: TRUE only if there were no errors connecting/binding/querying
- *   the LDAP server.
- *   - errors: An array containing any (string) error messages encountered.
- *   - entries: An indexed array with keys equal to LDAP attribute names,
- *   and values as arrays containing any value(s) found from the search.
- */
-function pinserver_ldap_attributes_from_huid($huid) {
-  $info = array(
-    'success' => FALSE,
-  );
-  $url = variable_get('pinserver_ldap_url', '');
-  $username = variable_get('pinserver_ldap_username', '');
-  $password = variable_get('pinserver_ldap_password', '');
-
-  #error_log("Host: " . $_SERVER['HTTP_HOST']);
-  #error_log("Getting ldap info from " . $url);
-
-  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
-  $ds = ldap_connect($url);
-  if (!$ds) {
-    $info['errors'][] = t("Couldn't connect to LDAP.");
-    return $info;
-  }
-
-  ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
-  ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); 
-  $db = ldap_bind($ds, $username, $password);
-  if (!$db) {
-    $info['errors'][] = t("Couldn't bind to LDAP.");
-    return $info;
-  }
-
-  $search_dn = "ou=people, o=Harvard University Core, dc=huid, dc=harvard, dc=edu";
-  $search_filter = "(&(harvardeduidnumber=" . $huid . "))";
-  $sr = ldap_search($ds, $search_dn, $search_filter);
-  if ($sr === FALSE) {
-    $info['errors'][] = t('An error occurred while attempting to search LDAP.');
-    return $info;
-  }
-  $info['success'] = TRUE;
-
-  #echo "\nSearch result is " . $sr . "<br />";
-  #echo "\nNumber of entries returned is " . ldap_count_entries($ds, $sr) . "<br />";
-
-  $entries = ldap_get_entries($ds, $sr);
-  $info['entries'] = $entries;
-
-  #echo "\nData for " . $info["count"] . " items returned:<p>";
-  #var_dump($info);
-
-  return $info;
-}
-
-/**
- * Creates an attractive drupal username based on LDAP information.
- */
-function generate_username($ldap_info) {
-  return $ldap_info['first'] . ' ' . $ldap_info['last'];
-}

From bdf0910087e9e4dcfe816bfbbf3e0abe1191f9cb Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:22:59 -0500
Subject: [PATCH 10/16] Config form is too big. Close fieldsets by default.

---
 pinserver.admin.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pinserver.admin.inc b/pinserver.admin.inc
index 6835ce0..5bb72dd 100644
--- a/pinserver.admin.inc
+++ b/pinserver.admin.inc
@@ -14,7 +14,7 @@ function pinserver_config() {
     '#type' => 'fieldset',
     '#title' => t('Harvard Pinserver Configuration'),
     '#collapsible' => TRUE,
-    '#collapsed' => FALSE,
+    '#collapsed' => TRUE,
   );
 
   $form['pinserver']['pinserver_pin_url'] = array(
@@ -115,7 +115,7 @@ function pinserver_config() {
     '#type' => 'fieldset',
     '#title' => t('Harvard Pinserver Logging'),
     '#collapsible' => TRUE,
-    '#collapsed' => FALSE,
+    '#collapsed' => TRUE,
   );
 
   $form['pinserver_logging']['pinserver_error_logging_enabled'] = array(

From 4a5d33f7b945e5ca888ad794dd1719c719749293 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:23:28 -0500
Subject: [PATCH 11/16] Add new include file for LDAP

---
 includes/ldap.inc | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 includes/ldap.inc

diff --git a/includes/ldap.inc b/includes/ldap.inc
new file mode 100644
index 0000000..c52beb6
--- /dev/null
+++ b/includes/ldap.inc
@@ -0,0 +1,6 @@
+<?php
+
+/**
+ * @file
+ * LDAP functions and settings for pinserver module.
+ */

From ab9e12e317353fb67703b0a2568e3c3f4875f7f0 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:24:04 -0500
Subject: [PATCH 12/16] Define unchangeable global variables for Harvard LDAP.

---
 includes/ldap.inc | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/includes/ldap.inc b/includes/ldap.inc
index c52beb6..78e8543 100644
--- a/includes/ldap.inc
+++ b/includes/ldap.inc
@@ -4,3 +4,13 @@
  * @file
  * LDAP functions and settings for pinserver module.
  */
+
+// The Harvard LDAP port number.
+define('PINSERVER_LDAP_PORT', 636);
+
+// Appended to "uid=$username," to generate $bind_rdn for ldap_connect().
+define('PINSERVER_LDAP_BASE_RDN', 'o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
+
+// Passed as $base_dn parameter on ldap_search().
+define('PINSERVER_LDAP_BASE_DN', 'ou=people,o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
+

From 5d783d1d470db9c7ef05e7382c39627732f29dff Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:24:36 -0500
Subject: [PATCH 13/16] Import "Get info from HUID" api function to ldap.inc.

---
 includes/ldap.inc | 59 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)

diff --git a/includes/ldap.inc b/includes/ldap.inc
index 78e8543..7d0ac4f 100644
--- a/includes/ldap.inc
+++ b/includes/ldap.inc
@@ -14,3 +14,62 @@ define('PINSERVER_LDAP_BASE_RDN', 'o=Harvard University Core,dc=huid,dc=harvard,
 // Passed as $base_dn parameter on ldap_search().
 define('PINSERVER_LDAP_BASE_DN', 'ou=people,o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
 
+/**
+ * Gets name and email from ldap for given HUID.
+ *
+ * @param int $huid
+ *   A given user's Harvard HUID.
+ *
+ * @return array $info
+ *   An indexed array containing:
+ *   - success: TRUE only if there were no errors connecting/binding/querying
+ *   the LDAP server.
+ *   - errors: An array containing any (string) error messages encountered.
+ *   - entries: An indexed array with keys equal to LDAP attribute names,
+ *   and values as arrays containing any value(s) found from the search.
+ */
+function pinserver_ldap_attributes_from_huid($huid) {
+  $info = array(
+    'success' => FALSE,
+  );
+
+  // Prepares LDAP connect and bind settings.
+  $hostname = variable_get('pinserver_ldap_hostname', '');
+  $uid = variable_get('pinserver_ldap_uid', '');
+  $bind_password = variable_get('pinserver_ldap_bind_password', '');
+  $base = PINSERVER_LDAP_BASE_RDN;
+  $bind_rdn = "uid={$uid},{$base}";
+  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
+
+  // Attempts to connect to host LDAP server.
+  $link_identifier = ldap_connect($hostname, PINSERVER_LDAP_PORT);
+  if (!$link_identifier) {
+    $info['errors'][] = t('Couldn\'t connect to LDAP host: @hostname.', array('@hostname' => $hostname));
+    return $info;
+  }
+
+  // Attempts to bind to host LDAP server on resource.
+  ldap_set_option($link_identifier, LDAP_OPT_PROTOCOL_VERSION, 3);
+  ldap_set_option($link_identifier, LDAP_OPT_REFERRALS, 0);
+  $bind = ldap_bind($link_identifier, $bind_rdn, $bind_password);
+  dpm(array($_SERVER['HTTP_HOST'], $hostname, PINSERVER_LDAP_PORT, $bind_rdn, $bind_password, $link_identifier, $bind, ldap_error($link_identifier)));
+  if (!$bind) {
+    $info['errors'][] = t("Couldn't bind to LDAP.");
+    return $info;
+  }
+
+  // Attempts to search LDAP to find attributes for this HUID.
+  $base_dn = PINSERVER_LDAP_BASE_DN;
+  $filter = "(&(harvardeduidnumber=" . $huid . "))";
+  $result_identifier = ldap_search($link_identifier, $base_dn, $filter);
+  if ($result_identifier === FALSE) {
+    $info['errors'][] = t('An error occurred while attempting to search LDAP.');
+    return $info;
+  }
+
+  // Success. Gets entries and returns.
+  $info['success'] = TRUE;
+  $info['entries'] = ldap_get_entries($link_identifier, $result_identifier);
+
+  return $info;
+}

From 6e4b610998de707ce5a91a65e75dcea92c1a39af Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:24:50 -0500
Subject: [PATCH 14/16] Add developer menu item to test.

---
 pinserver.module | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/pinserver.module b/pinserver.module
index 209c551..aef0b26 100644
--- a/pinserver.module
+++ b/pinserver.module
@@ -43,9 +43,38 @@ function pinserver_menu() {
     'access callback' => TRUE,
   );
 
+  $items['pinserver_ldap/%'] = array(
+    'page callback' => 'pinserver_ldap_page',
+    'page arguments' => array(1),
+    'access arguments' => array('administer site configuration'),
+    'title' => 'LDAP'
+  );
+
   return $items;
 }
 
+/**
+ * Page callback; @FIXME remove.
+ */
+function pinserver_ldap_page($huid) {
+  $message = t('No valid HUID: @huid', array('@huid' => $huid));
+
+  if (!empty($huid) && is_numeric($huid)) {
+    $message = t('Looking up @huid... <br/>', array('@huid' => $huid));
+    modlue_load_include('inc', 'pinserver', 'includes/ldap');
+    $attributes = pinserver_ldap_attributes_from_huid($huid);
+    dpm($attributes);
+    $message .= $attributes['success'] ? 'GOOD!' : 'bad.';
+  }
+
+  $build = array(
+    '#markup' => $message,
+  );
+
+  return $build;
+}
+
+
 /**
  * Implements hook_permission().
  */

From 73a683a9dea8e17ef3dc13aeb8a5b1396d4db538 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 5 Mar 2014 10:27:29 -0500
Subject: [PATCH 15/16] Restore missing files.

---
 README.md                  |  46 ++++++++++++++++
 includes/pinserver.api.inc | 105 +++++++++++++++++++++++++++++++++++++
 2 files changed, 151 insertions(+)
 create mode 100644 README.md
 create mode 100644 includes/pinserver.api.inc

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3d39578
--- /dev/null
+++ b/README.md
@@ -0,0 +1,46 @@
+## About
+
+A Drupal module that servers as an interface between [Harvard University PIN system](http://www.pin.harvard.edu/)
+and Drupal applications / websites. The purpose of this module is to encapsulate low level details of
+PIN and provide and set of APIs for drupal developers.
+
+The module was developed for and it's part of [OpenScholar](http://openscholar.harvard.edu)
+distribution but does not depend on OpenScholar and can be used in any Drupal installation.
+
+
+## Install
+
+In order to get a working PIN application on a Drupal site, you will need to:
+
+1. [Install the module](http://drupal.org/documentation/install/modules-themes)
+2. [Register as a PIN2 customer](http://reference.pin.harvard.edu/dev-registration)
+3. [Download and install GPG](http://www.gnupg.org/download/index.en.html)
+4. [Create a GPG key on your server](http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.1)
+5. [Import the Harvard PIN public key](http://www.dewinter.com/gnupg_howto/english/GPGMiniHowto-3.html#ss3.3)
+6. Send your public GPG key to directory_services@harvard.edu
+7. Configure your GPG and Harvard PIN application info at /admin/settings/pinserver
+8. Additionally enable the pinserver_authenticate module to allow login via pin
+
+Note: This module currently only implements Harvard PIN API version 1 and
+version 2. There is currently no support in this module for Oracle Access
+Manager (Harvard PIN API version 3).
+
+For more information about developing with PIN, see the
+[Harvard PIN Customer Guide](http://reference.pin.harvard.edu/dev-overview)
+or the Harvard PIN2 [Developer Resources PDF](http://reference.pin.harvard.edu/sites/reference.pin.harvard.edu/files/PIN2%20Developer%20Resources.pdf)
+
+## Contribute
+
+* Write help and docs in our [wiki](https://github.com/openscholar/pinserver/wiki)
+* Submit a bug or ask for support at our [issue queue](https://github.com/openscholar/pinserver/issues)
+* Contribute with bug fixes and new features by sending us pull requests
+
+
+## Credits
+
+Joe Weiner [@jjweiner](https://github.com/jjweiner), Richard Brandon [@rbran100](https://github.com)
+, Shane Dupree [@shanedupree](https://github.com/shanedupree), 
+Oren Robinson [@baisong](https://github.com/baisong), Seth Gregory, Blaise Freeman, Matt Petrovic [@mpetrovic](https://github.com),
+Ferdi Alimadhi [@Ferdi](https://github.com/Ferdi) for their contribution with code and/or ideas.
+
+Special thanks to [IQSS](http://iq.harvard.edu) and [HWP](http://hwp.harvard.edu) for supporting our work.
\ No newline at end of file
diff --git a/includes/pinserver.api.inc b/includes/pinserver.api.inc
new file mode 100644
index 0000000..cf32eb5
--- /dev/null
+++ b/includes/pinserver.api.inc
@@ -0,0 +1,105 @@
+<?php
+
+/**
+ * Returns TRUE user has logged in through pinserver.
+ *
+ * @param int $timeout
+ * - Desired maximum session length, in seconds. Use FALSE for no timeout.
+ *
+ * @return bool
+ */
+function pinserver_check_status($timeout = FALSE) {
+
+  // Verifies that the current user has a valid token with reg_time & HUID.
+  if ($user = pinserver_get_user_huid()) {
+    // Immediately returns TRUE if there is no timeout set.
+    if (!$timeout) {
+      return TRUE;
+    }
+
+    // Otherwise, only returns TRUE if we are before the timeout time.
+    $pin_user = pinserver_get_user();
+    if (time() < ($pin_user['reg_time'] + $timeout)) {
+      return TRUE;
+    }
+  }
+  return FALSE;
+}
+
+/**
+ * Checks if user is Harvard employee based on pinserver variable.
+ *
+ * @return string or FALSE
+ */
+function pinserver_is_harvard_employee() {
+
+  if($user = pinserver_get_user() && isset($user['harvard_employee'])){
+    return $user['harvard_employee'];
+  }
+
+  return FALSE;
+}
+
+/**
+ * Returns the current pinserver user.
+ *
+ * @param $user
+ * The pin user to set as logged in.
+ *
+ * @param $use_session
+ * Should this pin user be stored in the session.
+ */
+function pinserver_get_user($user = false, $set_session = false) {
+  $pin_user = &drupal_static(__FUNCTION__);
+
+  if ($user) {
+    $pin_user = $user;
+
+    if (isset($_SESSION['pinserver']) || $set_session) {
+      $_SESSION['pinserver'] = $user;
+    }
+  }
+  elseif (empty($pin_user) && !empty($_SESSION['pinserver'])) {
+    $pin_user = $_SESSION['pinserver'];
+  }
+
+  return $pin_user;
+}
+
+/**
+ * Returns the huid of the logged-in pinserver user.
+ */
+function pinserver_get_user_huid() {
+
+  if(($user = pinserver_get_user()) && isset($user['huid'])){
+    return $user['huid'];
+  }
+
+  return FALSE;
+}
+
+/**
+ * Remove session values set after successful pinserver login.
+ */
+function pinserver_remove_session() {
+  // Remove session values.
+  if (isset($_SESSION['pinserver'])) {
+    unset($_SESSION['pinserver']);
+  }
+}
+
+/**
+ * Create a user and set them as logged in using token data.
+ */
+function pinserver_add_user_from_token($token_data, $use_session = FALSE){
+
+  // Places encrypted harvard uid into session array.
+  $pin_user['huid'] = $token_data['user_id'];
+  $pin_user['reg_time'] = time();
+
+  if(isset($token_data['department']) && !empty($token_data['department'])) {
+    $pin_user['harvard_employee'] = $token_data['department'];
+  }
+
+  pinserver_get_user($pin_user, $use_session);
+}
\ No newline at end of file

From 8cd233c1554ae38b4d171f15c4935aa8cbbd0f03 Mon Sep 17 00:00:00 2001
From: oren <get.oren@gmail.com>
Date: Wed, 12 Mar 2014 10:54:22 -0400
Subject: [PATCH 16/16] add and test NOC ldap snippet (fail) #13

---
 includes/ldap.inc | 123 ++++++++++++++++++++++++++++++++++++++++++++--
 pinserver.module  |  14 +++---
 2 files changed, 126 insertions(+), 11 deletions(-)

diff --git a/includes/ldap.inc b/includes/ldap.inc
index 7d0ac4f..858b4f6 100644
--- a/includes/ldap.inc
+++ b/includes/ldap.inc
@@ -9,7 +9,7 @@
 define('PINSERVER_LDAP_PORT', 636);
 
 // Appended to "uid=$username," to generate $bind_rdn for ldap_connect().
-define('PINSERVER_LDAP_BASE_RDN', 'o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
+define('PINSERVER_LDAP_BASE_RDN', 'ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
 
 // Passed as $base_dn parameter on ldap_search().
 define('PINSERVER_LDAP_BASE_DN', 'ou=people,o=Harvard University Core,dc=huid,dc=harvard,dc=edu');
@@ -47,14 +47,14 @@ function pinserver_ldap_attributes_from_huid($huid) {
     $info['errors'][] = t('Couldn\'t connect to LDAP host: @hostname.', array('@hostname' => $hostname));
     return $info;
   }
-
+  $info['errors'][] = t('LDAP connect error: @error', array('@error' => ldap_error($link_identifier)));
   // Attempts to bind to host LDAP server on resource.
   ldap_set_option($link_identifier, LDAP_OPT_PROTOCOL_VERSION, 3);
   ldap_set_option($link_identifier, LDAP_OPT_REFERRALS, 0);
   $bind = ldap_bind($link_identifier, $bind_rdn, $bind_password);
   dpm(array($_SERVER['HTTP_HOST'], $hostname, PINSERVER_LDAP_PORT, $bind_rdn, $bind_password, $link_identifier, $bind, ldap_error($link_identifier)));
   if (!$bind) {
-    $info['errors'][] = t("Couldn't bind to LDAP.");
+    $info['errors'][] = t('LDAP bind failed. Error: @error', array('@error' => ldap_error($link_identifier)));
     return $info;
   }
 
@@ -73,3 +73,120 @@ function pinserver_ldap_attributes_from_huid($huid) {
 
   return $info;
 }
+
+/**
+ *
+ */
+
+/**
+ *
+ */
+function getLDAPCreds() {
+  $creds = array(
+    'ldap_server'	=> 'ldaps://hu-ldap.harvard.edu',
+    'ldap_pass'	 => variable_get('pinserver_ldap_bind_password',''),
+    'ldap_user'	 => 'uid=' . variable_get('pinserver_ldap_uid') . ',ou=applications,o=Harvard University Core,dc=huid,dc=harvard,dc=edu',
+    'ldap_trees'	=> array("ou=people", "ou=jobs"),
+    'people_dn'	 => 'ou=people,o=Harvard University Core,dc=huid,dc=harvard,dc=edu',
+    'jobs_dn'	 => 'ou=jobs,o=Harvard University Core,dc=huid,dc=harvard,dc=edu',
+  );
+
+  return $creds;
+}
+
+/**
+ *
+ */
+function getLDAPUser($huid) {
+  $output = 'Fetching credentials...';
+  $ldap_creds = getLDAPCreds();
+  dpm($ldap_creds);
+  $ldap_server = $ldap_creds['ldap_server'];
+  $ldap_user = $ldap_creds['ldap_user'];
+  $ldap_pass = $ldap_creds['ldap_pass'];;
+  $ldap_trees = $ldap_creds['ldap_trees'];
+  $people_dn = $ldap_creds['people_dn'];
+  $jobs_dn = $ldap_creds['jobs_dn'];
+
+  $ds=ldap_connect($ldap_server);  // must be a valid LDAP server!
+
+  $user = array();
+  if ($ds) {
+    if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+      $output .= "Failed to set LDAP Protocol version to 3, TLS not supported. ";
+    }
+    //	 if (!ldap_start_tls($ds)) {
+    //	 error("ldap_start_tls failed " . ldap_err2str(ldap_errno()));
+    //	 }
+
+    #get person info
+    $r=ldap_bind($ds, $ldap_user, $ldap_pass);
+    if (!$r) {
+      $output .= 'failure creating LDAP bind: ' . ldap_err2str(ldap_errno());
+    }
+
+    $sr=ldap_search($ds, $people_dn, "(harvardEduIDNumber=$huid)");
+    if (!$sr) {
+      $output .= 'failure executing LDAP search: ' . ldap_err2str(ldap_errno());
+    }
+
+    $info = ldap_get_entries($ds, $sr);
+    dpm($info, "info");
+    $info = $info[0];
+
+    $output .= prettyPrintLDAP($info);
+
+    #get job info
+    if (FALSE) {
+      $job = $info['harvardeduprimejobdn'][0];
+      list($job) = explode(',', $job);
+      if ($job) {
+        getLDAPJobInfo($job, $ds);
+      }
+    }
+  } else {
+    $output .= ldap_err2str(ldap_errno());
+  }
+
+  return $output;
+}
+
+/**
+ *
+ */
+function getLDAPJobInfo($job, $ds) {
+  $jobs_dn = 'ou=jobs,o=Harvard University Core,dc=huid,dc=harvard,dc=edu';
+
+  $sr=ldap_search($ds, $jobs_dn, "($job)");
+  $job = ldap_get_entries($ds, $sr);
+
+  $job = $job[0];
+
+  prettyPrintLDAP($job);
+}
+
+/**
+ *
+ */
+function prettyPrintLDAP($ldap) {
+  $output = '';
+  foreach ($ldap as $k => $vs) {
+    if (is_array($vs)) {
+      $output .= $k . "<br/>";
+
+      $has_val = false;
+      foreach ($vs as $vk => $v) {
+        if (preg_match('/^\d+$/', $vk) && strlen($v)) {
+          $output .= " * " . $v . "<br/>";
+          $has_val = true;
+        }
+      }
+      if (!$has_val) {
+        $output .= " * (no value)\n";
+      }
+      $output .= "<br/>";
+    }
+  }
+
+  return $output;
+}
diff --git a/pinserver.module b/pinserver.module
index aef0b26..c05e486 100644
--- a/pinserver.module
+++ b/pinserver.module
@@ -43,9 +43,9 @@ function pinserver_menu() {
     'access callback' => TRUE,
   );
 
-  $items['pinserver_ldap/%'] = array(
+  $items['pinserver/ldap/%'] = array(
     'page callback' => 'pinserver_ldap_page',
-    'page arguments' => array(1),
+    'page arguments' => array(2),
     'access arguments' => array('administer site configuration'),
     'title' => 'LDAP'
   );
@@ -60,11 +60,10 @@ function pinserver_ldap_page($huid) {
   $message = t('No valid HUID: @huid', array('@huid' => $huid));
 
   if (!empty($huid) && is_numeric($huid)) {
-    $message = t('Looking up @huid... <br/>', array('@huid' => $huid));
-    modlue_load_include('inc', 'pinserver', 'includes/ldap');
-    $attributes = pinserver_ldap_attributes_from_huid($huid);
-    dpm($attributes);
-    $message .= $attributes['success'] ? 'GOOD!' : 'bad.';
+    $message = t('Looking up huid @huid... <br/>', array('@huid' => $huid));
+    module_load_include('inc', 'pinserver', 'includes/ldap');
+    $attributes = getLDAPUser($huid);
+    $message .= $attributes;
   }
 
   $build = array(
@@ -74,7 +73,6 @@ function pinserver_ldap_page($huid) {
   return $build;
 }
 
-
 /**
  * Implements hook_permission().
  */